[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN115577347B - Driver protection method and device - Google Patents

Driver protection method and device Download PDF

Info

Publication number
CN115577347B
CN115577347B CN202211478795.8A CN202211478795A CN115577347B CN 115577347 B CN115577347 B CN 115577347B CN 202211478795 A CN202211478795 A CN 202211478795A CN 115577347 B CN115577347 B CN 115577347B
Authority
CN
China
Prior art keywords
thread
information
driver
hash value
callback function
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211478795.8A
Other languages
Chinese (zh)
Other versions
CN115577347A (en
Inventor
请求不公布姓名
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Mole Thread Intelligent Technology (Beijing) Co.,Ltd.
Original Assignee
Moore Threads Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Moore Threads Technology Co Ltd filed Critical Moore Threads Technology Co Ltd
Priority to CN202211478795.8A priority Critical patent/CN115577347B/en
Publication of CN115577347A publication Critical patent/CN115577347A/en
Application granted granted Critical
Publication of CN115577347B publication Critical patent/CN115577347B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Stored Programmes (AREA)

Abstract

本公开涉及计算机技术领域,尤其涉及一种驱动程序防护方法及装置,所述方法包括:在硬件设备的驱动程序载入内存后,确定所述驱动程序的关键信息;确定第一线程信息、第二线程信息及第三线程信息;启动所述第一线程、所述第二线程及所述第三线程;根据所述关键信息、所述第一线程信息、所述第二线程信息及所述第三线程信息,所述第一线程对所述第二线程、所述第二线程对所述第三线程和所述驱动程序、及所述第三线程对所述第一线程和所述驱动程序进行守护。本公开的实施例通过第一线程、第二线程及第三线程,以环形方式,对驱动程序进行守护,防止驱动程序被劫持,从而提高驱动程序的安全性。

Figure 202211478795

The present disclosure relates to the field of computer technology, and in particular to a driver protection method and device. The method includes: determining the key information of the driver after the driver of the hardware device is loaded into the memory; determining the first thread information, the second Second thread information and third thread information; start the first thread, the second thread and the third thread; according to the key information, the first thread information, the second thread information and the Third thread information, the first thread to the second thread, the second thread to the third thread and the driver, and the third thread to the first thread and the driver The program is guarded. The embodiment of the present disclosure protects the driver program in a circular manner through the first thread, the second thread and the third thread, preventing the driver program from being hijacked, thereby improving the security of the driver program.

Figure 202211478795

Description

驱动程序防护方法及装置Driver protection method and device

技术领域technical field

本公开涉及计算机技术领域,尤其涉及一种驱动程序防护方法及装置。The present disclosure relates to the field of computer technology, in particular to a driver protection method and device.

背景技术Background technique

计算机通常包括显卡、声卡、网卡等硬件设备,操作系统通过驱动程序与硬件设备进行通信,例如,操作系统通过显卡驱动程序与显卡进行通信。在计算机使用过程中,硬件设备的驱动程序经常会被劫持,例如,驱动程序中的一些函数经常会被挂钩子(Hook)或被打补丁,从而出现用户数据被篡改或被破坏的情形,影响用户使用。因此,亟需一种能够防止硬件设备的驱动程序被劫持的方法。A computer usually includes hardware devices such as a graphics card, a sound card, and a network card. The operating system communicates with the hardware device through a driver program. For example, the operating system communicates with the graphics card through a graphics card driver program. During the use of computers, drivers of hardware devices are often hijacked. For example, some functions in the drivers are often hooked or patched, so that user data is tampered with or destroyed, affecting user use. Therefore, need badly a kind of method that can prevent the driver program of hardware device from being hijacked.

发明内容Contents of the invention

有鉴于此,本公开提出了一种驱动程序防护方法及装置。In view of this, the present disclosure proposes a driver protection method and device.

根据本公开的一方面,提供了一种驱动程序防护方法,所述方法包括:在硬件设备的驱动程序载入内存后,确定所述驱动程序的关键信息,所述关键信息包括所述驱动程序的回调函数表信息、回调函数信息及派遣函数表信息中的至少一种;确定第一线程信息、第二线程信息及第三线程信息,所述第一线程信息包括第一线程对应的第一代码的地址、长度及哈希值,所述第二线程信息包括第二线程对应的第二代码的地址、长度及哈希值,所述第三线程信息包括第三线程对应的第三代码的地址、长度及哈希值;启动所述第一线程、所述第二线程及所述第三线程;根据所述关键信息、所述第一线程信息、所述第二线程信息及所述第三线程信息,所述第一线程对所述第二线程、所述第二线程对所述第三线程和所述驱动程序、及所述第三线程对所述第一线程和所述驱动程序进行守护。According to one aspect of the present disclosure, a driver protection method is provided, the method includes: after the driver of the hardware device is loaded into the memory, determining the key information of the driver, the key information includes the driver At least one of the callback function table information, callback function information and dispatch function table information; determine the first thread information, the second thread information and the third thread information, the first thread information includes the first thread corresponding to the first thread The address, length and hash value of the code, the second thread information includes the address, length and hash value of the second code corresponding to the second thread, and the third thread information includes the third code corresponding to the third thread address, length and hash value; start the first thread, the second thread and the third thread; according to the key information, the first thread information, the second thread information and the first thread information Three thread information, the first thread to the second thread, the second thread to the third thread and the driver, and the third thread to the first thread and the driver To guard.

在一种可能的实现方式中,所述根据所述关键信息、所述第一线程信息、所述第二线程信息及所述第三线程信息,所述第一线程对所述第二线程、所述第二线程对所述第三线程和所述驱动程序、及所述第三线程对所述第一线程和所述驱动程序进行守护,包括:所述第一线程根据所述第二线程信息,对所述第二线程进行守护;所述第二线程根据所述关键信息及所述第三线程信息,对所述驱动程序的回调函数表、派遣函数表及所述第三线程进行守护;所述第三线程根据所述关键信息及所述第一线程信息,对所述驱动程序的回调函数及所述第一线程进行守护。In a possible implementation manner, according to the key information, the first thread information, the second thread information, and the third thread information, the first thread performs an operation on the second thread, The second thread guards the third thread and the driver, and the third thread guards the first thread and the driver, including: the first thread according to the second thread information, and guard the second thread; the second thread guards the driver's callback function table, dispatch function table, and the third thread according to the key information and the third thread information ; The third thread guards the callback function of the driver and the first thread according to the key information and the first thread information.

在一种可能的实现方式中,所述第一线程根据所述第二线程信息,对所述第二线程进行守护,包括:所述第一线程根据所述第二线程信息中的地址及长度,计算所述第二代码的哈希值;在所述第二代码的哈希值与所述第二线程信息中的哈希值相同的情况下,所述第一线程检查所述第二线程是否退出;在所述第二线程未退出的情况下,所述第一线程休眠预设时长后,重新从下述步骤开始执行:所述第一线程根据所述第二线程信息中的地址及长度,计算所述第二代码的哈希值。In a possible implementation manner, the first thread guarding the second thread according to the second thread information includes: the first thread according to the address and length in the second thread information , calculate the hash value of the second code; in the case that the hash value of the second code is the same as the hash value in the second thread information, the first thread checks the second thread Whether to exit; in the case that the second thread does not exit, after the first thread sleeps for a preset period of time, it starts to execute again from the following steps: the first thread executes according to the address in the second thread information and length, calculating the hash value of the second code.

在一种可能的实现方式中,所述第一线程根据所述第二线程信息,对所述第二线程进行守护,还包括:在所述第二代码的哈希值与所述第二线程信息中的哈希值不同的情况下,所述第一线程根据驱动映像、第二线程信息中的地址及长度,对所述第二代码进行修复,所述驱动映像为硬盘上的原始的驱动程序在内存中的备份。In a possible implementation manner, the first thread guards the second thread according to the second thread information, and further includes: comparing the hash value of the second code with the second thread When the hash values in the information are different, the first thread repairs the second code according to the drive image, the address and the length in the second thread information, and the drive image is the original drive on the hard disk. A backup of the program in memory.

在一种可能的实现方式中,所述第一线程根据所述第二线程信息,对所述第二线程进行守护,还包括:在所述第二线程退出的情况下,所述第一线程重新启动所述第二线程。In a possible implementation manner, the first thread guards the second thread according to the second thread information, and further includes: when the second thread exits, the first thread The second thread is restarted.

在一种可能的实现方式中,所述第二线程根据所述关键信息及所述第三线程信息,对所述驱动程序的回调函数表、派遣函数表及所述第三线程进行守护,包括:所述第二线程根据所述关键信息中的回调函数表信息及派遣函数表信息,对所述驱动程序的回调函数表及派遣函数表进行守护;所述第二线程根据所述第三线程信息,对所述第三线程进行守护。In a possible implementation manner, the second thread guards the driver's callback function table, dispatch function table, and the third thread according to the key information and the third thread information, including : the second thread guards the callback function table and the dispatch function table of the driver according to the callback function table information and the dispatch function table information in the key information; the second thread guards the callback function table and the dispatch function table according to the third thread information, guarding the third thread.

在一种可能的实现方式中,所述回调函数表信息包括所述驱动程序的回调函数表的地址、长度及哈希值,所述派遣函数表信息包括所述驱动程序的派遣函数表的地址、长度及哈希值;所述第二线程根据所述关键信息中的回调函数表信息及派遣函数表信息,对所述驱动程序的回调函数表及派遣函数表进行守护,包括:所述第二线程根据所述回调函数表信息中的地址及长度,计算所述驱动程序的回调函数表的哈希值;在所述驱动程序的回调函数表的哈希值与所述回调函数表信息中的哈希值不同的情况下,所述第二线程根据驱动映像、所述回调函数表信息中的地址及长度,对所述驱动程序的回调函数表进行修复;所述第二线程根据所述派遣函数表信息中的地址及长度,计算所述驱动程序的派遣函数表的哈希值;在所述驱动程序的派遣函数表的哈希值与所述派遣函数表信息中的哈希值不同的情况下,所述第二线程根据驱动映像、所述派遣函数表信息中的地址及长度,对所述驱动程序的派遣函数表进行修复。In a possible implementation manner, the callback function table information includes the address, length and hash value of the driver's callback function table, and the dispatch function table information includes the address of the driver's dispatch function table , length and hash value; the second thread guards the callback function table and dispatch function table of the driver according to the callback function table information and dispatch function table information in the key information, including: the first The second thread calculates the hash value of the callback function table of the driver according to the address and the length in the callback function table information; in the hash value of the callback function table of the driver and the callback function table information In the case of different hash values, the second thread repairs the callback function table of the driver according to the driver image, the address and the length in the callback function table information; the second thread repairs the callback function table according to the Address and length in the dispatch function table information, calculate the hash value of the dispatch function table of the driver; the hash value of the dispatch function table of the driver is different from the hash value in the dispatch function table information In the case of , the second thread repairs the dispatch function table of the driver according to the driver image, the address and the length in the dispatch function table information.

在一种可能的实现方式中,所述第三线程根据所述关键信息及所述第一线程信息,对所述驱动程序的回调函数及所述第一线程进行守护,包括:所述第三线程根据所述关键信息中的回调函数信息,对所述驱动程序的回调函数进行守护;所述第三线程根据所述第一线程信息,对所述第一线程进行守护。In a possible implementation manner, the third thread guards the callback function of the driver and the first thread according to the key information and the first thread information, including: the third thread The thread guards the callback function of the driver according to the callback function information in the key information; the third thread guards the first thread according to the first thread information.

在一种可能的实现方式中,所述回调函数信息包括所述驱动程序的所有回调函数的地址、长度及哈希值;所述第三线程根据所述关键信息中的回调函数信息,对所述驱动程序的回调函数进行守护,包括:对于驱动程序的任一回调函数,所述第三线程根据所述回调函数信息中所述回调函数的地址及长度,计算所述回调函数的哈希值;在所述回调函数的哈希值与参考哈希值不同的情况下,所述第二线程根据驱动映像、所述回调函数表信息中所述回调函数的地址及长度,对所述回调函数的代码进行修复,所述参考哈希值为所述回调函数信息中所述回调函数的哈希值。In a possible implementation manner, the callback function information includes addresses, lengths, and hash values of all callback functions of the driver; the third thread, according to the callback function information in the key information, The callback function of the driver is guarded, including: for any callback function of the driver, the third thread calculates the hash value of the callback function according to the address and length of the callback function in the callback function information ; When the hash value of the callback function is different from the reference hash value, the second thread assigns the callback function to the callback function according to the address and length of the callback function in the driver image and the callback function table information The code is repaired, and the reference hash value is the hash value of the callback function in the callback function information.

在一种可能的实现方式中,所述方法还包括:所述驱动程序的中断服务对所述第一线程进行守护。In a possible implementation manner, the method further includes: the interrupt service of the driver program guards the first thread.

在一种可能的实现方式中,所述驱动程序的中断服务对所述第一线程进行守护,包括:在所述驱动程序的中断服务执行中断处理之前,所述中断服务根据所述第一线程信息中的地址及长度,计算所述第一代码的哈希值;在所述第一代码的哈希值与所述第一线程信息中的哈希值相同的情况下,所述中断服务检查所述第一线程是否退出;在所述第一线程未退出的情况下,所述中断服务执行所述中断处理。In a possible implementation manner, the interrupt service of the driver program guarding the first thread includes: before the interrupt service of the driver program performs interrupt processing, the interrupt service according to the first thread Address and length in the information, calculate the hash value of the first code; in the case that the hash value of the first code is the same as the hash value in the first thread information, the interrupt service check Whether the first thread exits; if the first thread does not exit, the interrupt service executes the interrupt processing.

在一种可能的实现方式中,所述方法还包括:所述硬件设备的固件对所述中断服务进行守护。In a possible implementation manner, the method further includes: firmware of the hardware device guards the interrupt service.

在一种可能的实现方式中,所述关键信息还包括所述中断服务对应的中断处理函数信息,所述中断处理函数信息包括所述中断服务对应的中断处理函数的地址、长度及哈希值;所述硬件设备的固件对所述中断服务进行守护,包括:所述固件根据所述中断处理函数信息中的地址及长度,计算所述中断处理函数的哈希值;在所述中断处理函数的哈希值与所述中断处理函数信息中的哈希值相同的情况下,所述固件休眠预设时长后,重新从下述步骤开始执行:所述固件根据所述中断处理函数信息中的地址及长度,计算所述中断处理函数的哈希值。In a possible implementation manner, the key information further includes the interrupt processing function information corresponding to the interrupt service, and the interrupt processing function information includes the address, length and hash value of the interrupt processing function corresponding to the interrupt service The firmware of the hardware device guards the interrupt service, including: the firmware calculates the hash value of the interrupt processing function according to the address and length in the interrupt processing function information; In the case where the hash value is the same as the hash value in the interrupt handling function information, after the firmware sleeps for a preset period of time, it starts to execute again from the following steps: The address and the length are used to calculate the hash value of the interrupt processing function.

在一种可能的实现方式中,所述硬件设备的固件对所述中断服务进行守护,包括:在所述中断处理函数的哈希值与所述中断处理函数信息中的哈希值不同的情况下,所述固件控制所述硬件设备停止发送中断请求,以停止所述中断服务;所述固件根据驱动映像、所述中断处理函数信息中的地址及长度,对所述中断处理函数进行修复;在修复完成后,所述固件控制所述硬件设备恢复中断请求的发送,以恢复所述中断服务。In a possible implementation manner, the firmware of the hardware device guards the interrupt service, including: when the hash value of the interrupt processing function is different from the hash value in the interrupt processing function information Next, the firmware controls the hardware device to stop sending interrupt requests to stop the interrupt service; the firmware repairs the interrupt processing function according to the address and length in the driver image and the interrupt processing function information; After the repair is completed, the firmware controls the hardware device to resume sending the interrupt request, so as to restore the interrupt service.

在一种可能的实现方式中,确定所述驱动程序的关键信息,包括:在所述驱动程序载入内存后,检查所述驱动程序在加载过程中是否被修改;在所述驱动程序在加载过程中未被修改的情况下,确定所述驱动程序的关键信息。In a possible implementation manner, determining the key information of the driver includes: after the driver is loaded into the memory, checking whether the driver is modified during the loading process; The key information of the driver is determined without being modified during the process.

在一种可能的实现方式中,所述检查所述驱动程序在加载过程中是否被修改,包括:在所述驱动程序载入内存后,对所述驱动程序进行校验,所述校验包括哈希校验、证书签名校验中的至少一种;在校验通过的情况下,对所述驱动程序进行对齐及重定位处理;根据驱动映像,判断所述驱动程序在加载过程中是否被修改。In a possible implementation manner, the checking whether the driver is modified during the loading process includes: after the driver is loaded into the memory, checking the driver, the checking includes At least one of hash verification and certificate signature verification; if the verification is passed, align and relocate the driver; judge whether the driver is loaded during the loading process according to the driver image Revise.

在一种可能的实现方式中,所述根据驱动映像,判断所述驱动程序在加载过程中是否被修改,包括:分别计算所述驱动映像的哈希值及所述驱动程序的哈希值;在所述驱动映像的哈希值与所述驱动程序的哈希值相同的情况下,确定所述驱动程序在加载过程中未被修改。In a possible implementation manner, the determining whether the driver program is modified during the loading process according to the driver image includes: separately calculating a hash value of the driver image and a hash value of the driver program; If the hash value of the driver image is the same as the hash value of the driver, it is determined that the driver has not been modified during the loading process.

在一种可能的实现方式中,确定所述驱动程序的关键信息,包括:在驱动程序在加载过程中被修改的情况下,根据驱动映像,对所述驱动程序进行修复;在所述驱动程序修复完成后,确定所述驱动程序的关键信息。In a possible implementation manner, determining the key information of the driver includes: in the case that the driver is modified during the loading process, repairing the driver according to the driver image; After the repair is complete, identify key information about the driver in question.

在一种可能的实现方式中,所述方法还包括:确定出所述回调函数信息后,通过自定义的回调注册函数,对所述驱动程序的回调函数进行注册。In a possible implementation manner, the method further includes: registering the callback function of the driver program through a self-defined callback registration function after determining the callback function information.

在一种可能的实现方式中,所述方法还包括:将所述关键信息、所述第一线程信息、所述第二线程信息及所述第三线程信息,存储至预设的存储区域,所述存储区域为仅允许写入一次的存储区域。In a possible implementation manner, the method further includes: storing the key information, the first thread information, the second thread information, and the third thread information in a preset storage area, The storage area is a storage area that only allows writing once.

根据本公开的另一方面,提供了一种驱动程序防护装置,所述装置包括:第一信息确定模块,用于在硬件设备的驱动程序载入内存后,确定所述驱动程序的关键信息,所述关键信息包括所述驱动程序的回调函数表信息、回调函数信息及派遣函数表信息中的至少一种;第二信息确定模块,用于确定第一线程信息、第二线程信息及第三线程信息,所述第一线程信息包括第一线程对应的第一代码的地址、长度及哈希值,所述第二线程信息包括第二线程对应的第二代码的地址、长度及哈希值,所述第三线程信息包括第三线程对应的第三代码的地址、长度及哈希值;线程启动模块,用于启动所述第一线程、所述第二线程及所述第三线程;第一守护模块,根据所述关键信息、所述第一线程信息、所述第二线程信息及所述第三线程信息,所述第一线程对所述第二线程、所述第二线程对所述第三线程和所述驱动程序、及所述第三线程对所述第一线程和所述驱动程序进行守护。According to another aspect of the present disclosure, a driver protection device is provided, the device comprising: a first information determining module, configured to determine key information of the driver after the driver of the hardware device is loaded into the memory, The key information includes at least one of callback function table information, callback function information and dispatch function table information of the driver; the second information determination module is used to determine the first thread information, the second thread information and the third thread information. Thread information, the first thread information includes the address, length and hash value of the first code corresponding to the first thread, and the second thread information includes the address, length and hash value of the second code corresponding to the second thread , the third thread information includes the address, length and hash value of the third code corresponding to the third thread; a thread starting module, configured to start the first thread, the second thread and the third thread; The first guard module, according to the key information, the first thread information, the second thread information, and the third thread information, the first thread to the second thread, the second thread to the second thread The third thread and the driver, and the third thread guards the first thread and the driver.

在一种可能的实现方式中,所述第一守护模块,包括:第一守护子模块,所述第一线程根据所述第二线程信息,对所述第二线程进行守护;第二守护子模块,所述第二线程根据所述关键信息及所述第三线程信息,对所述驱动程序的回调函数表、派遣函数表及所述第三线程进行守护;第三守护子模块,所述第三线程根据所述关键信息及所述第一线程信息,对所述驱动程序的回调函数及所述第一线程进行守护。In a possible implementation manner, the first guard module includes: a first guard submodule, the first thread guards the second thread according to the second thread information; the second guard submodule module, the second thread guards the callback function table, dispatch function table and the third thread of the driver according to the key information and the third thread information; the third guard sub-module, the The third thread guards the callback function of the driver and the first thread according to the key information and the first thread information.

在一种可能的实现方式中,所述第一守护子模块,用于:所述第一线程根据所述第二线程信息中的地址及长度,计算所述第二代码的哈希值;在所述第二代码的哈希值与所述第二线程信息中的哈希值相同的情况下,所述第一线程检查所述第二线程是否退出;在所述第二线程未退出的情况下,所述第一线程休眠预设时长后,重新从下述步骤开始执行:所述第一线程根据所述第二线程信息中的地址及长度,计算所述第二代码的哈希值。In a possible implementation manner, the first guard submodule is configured to: the first thread calculates the hash value of the second code according to the address and length in the second thread information; When the hash value of the second code is the same as the hash value in the second thread information, the first thread checks whether the second thread exits; if the second thread does not exit Next, after the first thread sleeps for a preset period of time, it restarts execution from the following steps: the first thread calculates the hash value of the second code according to the address and length in the second thread information.

在一种可能的实现方式中,所述第一守护子模块,还用于:在所述第二代码的哈希值与所述第二线程信息中的哈希值不同的情况下,所述第一线程根据驱动映像、第二线程信息中的地址及长度,对所述第二代码进行修复,所述驱动映像为硬盘上的原始的驱动程序在内存中的备份。In a possible implementation manner, the first guard submodule is further configured to: when the hash value of the second code is different from the hash value in the second thread information, the The first thread repairs the second code according to the driver image, the address and the length in the information of the second thread, and the driver image is the backup of the original driver program on the hard disk in memory.

在一种可能的实现方式中,所述第一守护子模块,还用于:在所述第二线程退出的情况下,所述第一线程重新启动所述第二线程。In a possible implementation manner, the first guard submodule is further configured to: when the second thread exits, the first thread restarts the second thread.

在一种可能的实现方式中,所述第二守护子模块,用于:所述第二线程根据所述关键信息中的回调函数表信息及派遣函数表信息,对所述驱动程序的回调函数表及派遣函数表进行守护;所述第二线程根据所述第三线程信息,对所述第三线程进行守护。In a possible implementation manner, the second guard submodule is configured to: the second thread executes the callback function of the driver according to the callback function table information and the dispatch function table information in the key information. The table and the dispatch function table are guarded; the second thread guards the third thread according to the information of the third thread.

在一种可能的实现方式中,所述回调函数表信息包括所述驱动程序的回调函数表的地址、长度及哈希值,所述派遣函数表信息包括所述驱动程序的派遣函数表的地址、长度及哈希值;所述第二线程根据所述关键信息中的回调函数表信息及派遣函数表信息,对所述驱动程序的回调函数表及派遣函数表进行守护,包括:所述第二线程根据所述回调函数表信息中的地址及长度,计算所述驱动程序的回调函数表的哈希值;在所述驱动程序的回调函数表的哈希值与所述回调函数表信息中的哈希值不同的情况下,所述第二线程根据驱动映像、所述回调函数表信息中的地址及长度,对所述驱动程序的回调函数表进行修复;所述第二线程根据所述派遣函数表信息中的地址及长度,计算所述驱动程序的派遣函数表的哈希值;在所述驱动程序的派遣函数表的哈希值与所述派遣函数表信息中的哈希值不同的情况下,所述第二线程根据驱动映像、所述派遣函数表信息中的地址及长度,对所述驱动程序的派遣函数表进行修复。In a possible implementation manner, the callback function table information includes the address, length and hash value of the driver's callback function table, and the dispatch function table information includes the address of the driver's dispatch function table , length and hash value; the second thread guards the callback function table and dispatch function table of the driver according to the callback function table information and dispatch function table information in the key information, including: the first The second thread calculates the hash value of the callback function table of the driver according to the address and the length in the callback function table information; in the hash value of the callback function table of the driver and the callback function table information In the case of different hash values, the second thread repairs the callback function table of the driver according to the driver image, the address and the length in the callback function table information; the second thread repairs the callback function table according to the Address and length in the dispatch function table information, calculate the hash value of the dispatch function table of the driver; the hash value of the dispatch function table of the driver is different from the hash value in the dispatch function table information In the case of , the second thread repairs the dispatch function table of the driver according to the driver image, the address and the length in the dispatch function table information.

在一种可能的实现方式中,所述第三守护子模块,用于:所述第三线程根据所述关键信息中的回调函数信息,对所述驱动程序的回调函数进行守护;所述第三线程根据所述第一线程信息,对所述第一线程进行守护。In a possible implementation manner, the third guard submodule is configured to: the third thread guards the callback function of the driver according to the callback function information in the key information; The three threads guard the first thread according to the first thread information.

在一种可能的实现方式中,所述回调函数信息包括所述驱动程序的所有回调函数的地址、长度及哈希值;所述第三线程根据所述关键信息中的回调函数信息,对所述驱动程序的回调函数进行守护,包括:对于驱动程序的任一回调函数,所述第三线程根据所述回调函数信息中所述回调函数的地址及长度,计算所述回调函数的哈希值;在所述回调函数的哈希值与参考哈希值不同的情况下,所述第二线程根据驱动映像、所述回调函数表信息中所述回调函数的地址及长度,对所述回调函数的代码进行修复,所述参考哈希值为所述回调函数信息中所述回调函数的哈希值。In a possible implementation manner, the callback function information includes addresses, lengths, and hash values of all callback functions of the driver; the third thread, according to the callback function information in the key information, The callback function of the driver is guarded, including: for any callback function of the driver, the third thread calculates the hash value of the callback function according to the address and length of the callback function in the callback function information ; When the hash value of the callback function is different from the reference hash value, the second thread assigns the callback function to the callback function according to the address and length of the callback function in the driver image and the callback function table information The code is repaired, and the reference hash value is the hash value of the callback function in the callback function information.

在一种可能的实现方式中,所述装置还包括:第二守护模块,所述驱动程序的中断服务对所述第一线程进行守护。In a possible implementation manner, the device further includes: a second guard module, where the interrupt service of the driver program guards the first thread.

在一种可能的实现方式中,所述第二守护模块,包括:第一计算子模块,在所述驱动程序的中断服务执行中断处理之前,所述中断服务根据所述第一线程信息中的地址及长度,计算所述第一代码的哈希值;第一检查子模块,在所述第一代码的哈希值与所述第一线程信息中的哈希值相同的情况下,所述中断服务检查所述第一线程是否退出;执行子模块,在所述第一线程未退出的情况下,所述中断服务执行所述中断处理。In a possible implementation manner, the second guard module includes: a first calculation submodule, before the interrupt service of the driver executes interrupt processing, the interrupt service address and length, calculating the hash value of the first code; the first checking submodule, when the hash value of the first code is the same as the hash value in the first thread information, the The interrupt service checks whether the first thread exits; the submodule is executed, and if the first thread does not exit, the interrupt service executes the interrupt processing.

在一种可能的实现方式中,所述装置还包括:第三守护模块,所述硬件设备的固件对所述中断服务进行守护。In a possible implementation manner, the apparatus further includes: a third guard module, where firmware of the hardware device guards the interrupt service.

在一种可能的实现方式中,所述关键信息还包括所述中断服务对应的中断处理函数信息,所述中断处理函数信息包括所述中断服务对应的中断处理函数的地址、长度及哈希值;所述第三守护模块,包括:第二计算子模块,所述固件根据所述中断处理函数信息中的地址及长度,计算所述中断处理函数的哈希值;休眠子模块,在所述中断处理函数的哈希值与所述中断处理函数信息中的哈希值相同的情况下,所述固件休眠预设时长后,重新从下述步骤开始执行:所述固件根据所述中断处理函数信息中的地址及长度,计算所述中断处理函数的哈希值。In a possible implementation manner, the key information further includes the interrupt processing function information corresponding to the interrupt service, and the interrupt processing function information includes the address, length and hash value of the interrupt processing function corresponding to the interrupt service The third guardian module includes: a second computing submodule, the firmware calculates the hash value of the interrupt processing function according to the address and length in the interrupt processing function information; the dormancy submodule, in the In the case where the hash value of the interrupt processing function is the same as the hash value in the interrupt processing function information, after the firmware sleeps for a preset period of time, it starts to execute again from the following steps: the firmware executes according to the interrupt processing function The address and length in the information are used to calculate the hash value of the interrupt processing function.

在一种可能的实现方式中,所述第三守护模块,包括:中断服务停止子模块,在所述中断处理函数的哈希值与所述中断处理函数信息中的哈希值不同的情况下,所述固件控制所述硬件设备停止发送中断请求,以停止所述中断服务;修复子模块,所述固件根据驱动映像、所述中断处理函数信息中的地址及长度,对所述中断处理函数进行修复;中断服务恢复子模块,在修复完成后,所述固件控制所述硬件设备恢复中断请求的发送,以恢复所述中断服务。In a possible implementation manner, the third guard module includes: an interrupt service stop submodule, and when the hash value of the interrupt processing function is different from the hash value in the interrupt processing function information , the firmware controls the hardware device to stop sending interrupt requests, so as to stop the interrupt service; the repair submodule, the firmware executes the interrupt processing function according to the drive image, the address and the length in the interrupt processing function information Repairing: the interrupt service recovery sub-module, after the repair is completed, the firmware controls the hardware device to resume sending the interrupt request, so as to resume the interrupt service.

在一种可能的实现方式中,所述第一信息确定模块,包括:第二检查子模块,在所述驱动程序载入内存后,检查所述驱动程序在加载过程中是否被修改;信息确定子模块,在所述驱动程序在加载过程中未被修改的情况下,确定所述驱动程序的关键信息。In a possible implementation manner, the first information determining module includes: a second checking submodule, after the driver is loaded into the memory, checks whether the driver is modified during the loading process; the information determining The submodule determines the key information of the driver under the condition that the driver is not modified during the loading process.

在一种可能的实现方式中,所述第二检查子模块,用于:在所述驱动程序载入内存后,对所述驱动程序进行校验,所述校验包括哈希校验、证书签名校验中的至少一种;在校验通过的情况下,对所述驱动程序进行对齐及重定位处理;根据驱动映像,判断所述驱动程序在加载过程中是否被修改。In a possible implementation manner, the second checking submodule is configured to: verify the driver after the driver is loaded into the memory, and the verification includes hash verification, certificate At least one of signature verification; if the verification is passed, align and relocate the driver; judge whether the driver is modified during the loading process according to the driver image.

在一种可能的实现方式中,所述根据驱动映像,判断所述驱动程序在加载过程中是否被修改,包括:分别计算所述驱动映像的哈希值及所述驱动程序的哈希值;在所述驱动映像的哈希值与所述驱动程序的哈希值相同的情况下,确定所述驱动程序在加载过程中未被修改。In a possible implementation manner, the determining whether the driver program is modified during the loading process according to the driver image includes: separately calculating a hash value of the driver image and a hash value of the driver program; If the hash value of the driver image is the same as the hash value of the driver, it is determined that the driver has not been modified during the loading process.

在一种可能的实现方式中,所述信息确定子模块,用于:在驱动程序在加载过程中被修改的情况下,根据驱动映像,对所述驱动程序进行修复;在所述驱动程序修复完成后,确定所述驱动程序的关键信息。In a possible implementation manner, the information determination submodule is configured to: repair the driver according to the driver image when the driver is modified during the loading process; Once complete, identify the key information for the driver in question.

在一种可能的实现方式中,所述装置还包括:注册模块,用于确定出所述回调函数信息后,通过自定义的回调注册函数,对所述驱动程序的回调函数进行注册。In a possible implementation manner, the device further includes: a registration module, configured to register the callback function of the driver through a self-defined callback registration function after determining the callback function information.

在一种可能的实现方式中,所述装置还包括:存储模块,用于将所述关键信息、所述第一线程信息、所述第二线程信息及所述第三线程信息,存储至预设的存储区域,所述存储区域为仅允许写入一次的存储区域。In a possible implementation manner, the device further includes: a storage module, configured to store the key information, the first thread information, the second thread information, and the third thread information in a preset A storage area is provided, and the storage area is a storage area that only allows writing once.

本公开实施例的驱动程序防护方法,能够在硬件设备的驱动程序载入内存后,确定驱动程序的关键信息,以及确定第一线程信息、第二线程信息、第三线程信息,然后启动第一线程、第二线程及第三线程,启动成功后,根据关键信息、第一线程信息、第二线程信息及第三线程信息,第一线程对第二线程、第二线程对第三线程和驱动程序、及第三线程对第一线程和驱动程序进行守护,从而能够通过第一线程、第二线程及第三线程,以环形方式,对驱动程序进行守护,防止驱动程序被劫持,进而提高驱动程序的安全性。The driver protection method of the embodiment of the present disclosure can determine the key information of the driver after the driver of the hardware device is loaded into the memory, and determine the first thread information, the second thread information, and the third thread information, and then start the first thread, the second thread and the third thread, after the startup is successful, according to the key information, the first thread information, the second thread information and the third thread information, the first thread to the second thread, the second thread to the third thread and the driver The program and the third thread guard the first thread and the driver, so that the driver can be guarded in a circular manner through the first thread, the second thread and the third thread, so as to prevent the driver from being hijacked and improve the driver performance. program security.

根据下面参考附图对示例性实施例的详细说明,本公开的其它特征及方面将变得清楚。Other features and aspects of the present disclosure will become apparent from the following detailed description of exemplary embodiments with reference to the accompanying drawings.

附图说明Description of drawings

包含在说明书中并且构成说明书的一部分的附图与说明书一起示出了本公开的示例性实施例、特征和方面,并且用于解释本公开的原理。The accompanying drawings, which are incorporated in and constitute a part of the specification, illustrate exemplary embodiments, features, and aspects of the disclosure and, together with the specification, serve to explain the principles of the disclosure.

图1示出根据本公开一实施例的驱动程序防护方法的流程图。FIG. 1 shows a flowchart of a driver protection method according to an embodiment of the present disclosure.

图2示出根据本公开一实施例的驱动程序防护方法的示意图。Fig. 2 shows a schematic diagram of a driver protection method according to an embodiment of the present disclosure.

图3示出根据本公开一实施例的第一线程守护过程的示意图。Fig. 3 shows a schematic diagram of a first thread daemon process according to an embodiment of the present disclosure.

图4示出根据本公开一实施例的第二线程守护过程的示意图。Fig. 4 shows a schematic diagram of a second thread daemon process according to an embodiment of the present disclosure.

图5示出根据本公开一实施例的第三线程守护过程的示意图。Fig. 5 shows a schematic diagram of a third thread daemon process according to an embodiment of the present disclosure.

图6示出根据本公开一实施例的中断服务守护过程的示意图。FIG. 6 shows a schematic diagram of an interrupt service daemon process according to an embodiment of the present disclosure.

图7示出根据本公开一实施例的固件守护过程的示意图。FIG. 7 shows a schematic diagram of a firmware daemon process according to an embodiment of the present disclosure.

图8示出根据本公开一实施例的驱动程序防护方法的示意图。Fig. 8 shows a schematic diagram of a driver protection method according to an embodiment of the present disclosure.

图9示出根据本公开一实施例的驱动程序防护装置的框图。FIG. 9 shows a block diagram of a driver guard according to an embodiment of the present disclosure.

具体实施方式Detailed ways

以下将参考附图详细说明本公开的各种示例性实施例、特征和方面。附图中相同的附图标记表示功能相同或相似的元件。尽管在附图中示出了实施例的各种方面,但是除非特别指出,不必按比例绘制附图。Various exemplary embodiments, features, and aspects of the present disclosure will be described in detail below with reference to the accompanying drawings. The same reference numbers in the figures indicate functionally identical or similar elements. While various aspects of the embodiments are shown in drawings, the drawings are not necessarily drawn to scale unless specifically indicated.

在这里专用的词“示例性”意为“用作例子、实施例或说明性”。这里作为“示例性”所说明的任何实施例不必解释为优于或好于其它实施例。The word "exemplary" is used exclusively herein to mean "serving as an example, embodiment, or illustration." Any embodiment described herein as "exemplary" is not necessarily to be construed as superior or better than other embodiments.

另外,为了更好的说明本公开,在下文的具体实施方式中给出了众多的具体细节。本领域技术人员应当理解,没有某些具体细节,本公开同样可以实施。在一些实例中,对于本领域技术人员熟知的方法、手段、元件和电路未作详细描述,以便于凸显本公开的主旨。In addition, in order to better illustrate the present disclosure, numerous specific details are given in the following specific implementation manners. It will be understood by those skilled in the art that the present disclosure may be practiced without some of the specific details. In some instances, methods, means, components and circuits that are well known to those skilled in the art have not been described in detail so as to obscure the gist of the present disclosure.

本公开实施例的驱动程序防护方法可用于对硬件设备的驱动程序进行防护,以防止驱动程序被劫持。本公开实施例的驱动程序防护方法可应用于电子设备,该电子设备包括显卡、网卡、声卡等硬件设备。电子设备可例如终端设备、服务器等。本公开对电子设备、硬件设备的具体类型均不作限制。此外,本公开对电子设备搭载的操作系统的类型也不作限制。The driver protection method of the embodiment of the present disclosure can be used to protect the driver of the hardware device, so as to prevent the driver from being hijacked. The driver protection method of the embodiments of the present disclosure can be applied to electronic devices, and the electronic devices include hardware devices such as graphics cards, network cards, and sound cards. The electronic equipment may be, for example, a terminal equipment, a server, and the like. The present disclosure does not limit specific types of electronic devices and hardware devices. In addition, the present disclosure does not limit the type of the operating system carried by the electronic device.

图1示出根据本公开一实施例的驱动程序防护方法的流程图。如图1所示,该驱动程序防护方法包括:FIG. 1 shows a flowchart of a driver protection method according to an embodiment of the present disclosure. As shown in Figure 1, the driver protection method includes:

步骤S110,在硬件设备的驱动程序载入内存后,确定所述驱动程序的关键信息,所述关键信息包括所述驱动程序的回调函数表信息、回调函数信息及派遣函数表信息中的至少一种;Step S110, after the driver of the hardware device is loaded into the memory, determine the key information of the driver, the key information includes at least one of the driver's callback function table information, callback function information, and dispatch function table information kind;

步骤S120,确定第一线程信息、第二线程信息及第三线程信息,所述第一线程信息包括第一线程对应的第一代码的地址、长度及哈希值,所述第二线程信息包括第二线程对应的第二代码的地址、长度及哈希值,所述第三线程信息包括第三线程对应的第三代码的地址、长度及哈希值;Step S120, determine the first thread information, the second thread information and the third thread information, the first thread information includes the address, length and hash value of the first code corresponding to the first thread, the second thread information includes The address, length and hash value of the second code corresponding to the second thread, and the third thread information includes the address, length and hash value of the third code corresponding to the third thread;

步骤S130,启动所述第一线程、所述第二线程及所述第三线程;Step S130, starting the first thread, the second thread and the third thread;

步骤S140,根据所述关键信息、所述第一线程信息、所述第二线程信息及所述第三线程信息,所述第一线程对所述第二线程、所述第二线程对所述第三线程和所述驱动程序、及所述第三线程对所述第一线程和所述驱动程序进行守护。Step S140, according to the key information, the first thread information, the second thread information and the third thread information, the first thread to the second thread, the second thread to the A third thread and the driver, and the third thread guards the first thread and the driver.

在一种可能的实现方式中,电子设备上电启动后,操作系统会从硬盘上获取硬件设备的驱动程序,并将驱动程序加载到内存中。这里的内存仅指计算机的系统内存。In a possible implementation manner, after the electronic device is powered on and started, the operating system obtains the driver program of the hardware device from the hard disk, and loads the driver program into the memory. The memory here refers only to the computer's system memory.

在一种可能的实现方式中,在操作系统将硬件设备的驱动程序载入内存后,驱动程序开始运行,可在步骤S110中,确定驱动程序的关键信息,关键信息可包括驱动程序的回调函数表信息、回调函数信息及派遣函数表信息中的至少一种。In a possible implementation, after the operating system loads the driver of the hardware device into the memory, the driver starts to run, and in step S110, the key information of the driver can be determined, and the key information can include the callback function of the driver At least one of table information, callback function information, and dispatch function table information.

在一种可能的实现方式中,回调函数表为驱动程序中的所有回调函数的列表。例如,假设驱动程序中有20个回调函数,那么,回调函数表为这20个回调函数的函数名称构成的列表。回调函数表信息可包括回调函数表的名称、地址、长度、哈希值(Hash)等。In a possible implementation manner, the callback function table is a list of all callback functions in the driver program. For example, assuming that there are 20 callback functions in the driver program, then the callback function table is a list formed by the function names of the 20 callback functions. The callback function table information may include the name, address, length, hash value (Hash) and the like of the callback function table.

在一种可能的实现方式中,回调函数信息可包括驱动程序中的各个回调函数的函数名称、地址、长度、哈希值等。例如,假设驱动程序中有20个回调函数,分别为回调函数1、回调函数2、……、回调函数20,那么,回调函数信息可包括回调函数1的函数名称、地址、长度及哈希值、回调函数2的函数名称、地址、长度及哈希值、……、回调函数20的函数名称、地址、长度及哈希值。In a possible implementation manner, the callback function information may include the function name, address, length, hash value, etc. of each callback function in the driver. For example, assuming that there are 20 callback functions in the driver program, which are respectively callback function 1, callback function 2, ..., callback function 20, then the callback function information may include the function name, address, length and hash value of callback function 1 , the function name, address, length and hash value of the callback function 2, ..., the function name, address, length and hash value of the callback function 20.

在一种可能的实现方式中,派遣函数表为驱动程序中的所有派遣函数的列表。例如,假设驱动程序中有30个派遣函数,那么,派遣函数表为这30个派遣函数的函数名称构成的列表。派遣函数表信息可包括派遣函数表的名称、地址、长度、哈希值等。In a possible implementation manner, the dispatch function table is a list of all dispatch functions in the driver program. For example, assuming that there are 30 dispatch functions in the driver program, then the dispatch function table is a list formed by the function names of the 30 dispatch functions. The dispatch function table information may include the name, address, length, hash value, etc. of the dispatch function table.

需要说明的是,除了上述回调函数表信息、回调函数信息及派遣函数表信息外,驱动程序的关键信息还可包括其他信息,本领域技术人员可根据实际情况对驱动程序的关键信息的具体内容进行设置,本公开对此不作限制。It should be noted that, in addition to the above-mentioned callback function table information, callback function information, and dispatch function table information, the key information of the driver program may also include other information, and those skilled in the art may determine the specific content of the key information of the driver program according to the actual situation. setting, the disclosure does not limit this.

在一种可能的实现方式中,确定出驱动程序的关键信息后,可执行步骤S120,确定第一线程信息、第二线程信息及第三线程信息。其中,第一线程信息可包括第一线程对应的第一代码的地址(例如起始地址等)、长度及哈希值,第二线程信息可包括第二线程对应的第二代码的地址(例如起始地址等)、长度及哈希值,第三线程信息可包括第三线程对应的第三代码的地址(例如起始地址等)、长度及哈希值。第一线程、第二线程及第三线程可以看作是驱动程序的守护进程。在一个示例中,可将第一线程、第二线程及第三线程的代码集成到驱动程序的代码中。In a possible implementation manner, after the key information of the driver is determined, step S120 may be executed to determine the first thread information, the second thread information and the third thread information. Wherein, the first thread information may include the address of the first code corresponding to the first thread (for example, starting address, etc.), length and hash value, and the second thread information may include the address of the second code corresponding to the second thread (for example, start address, etc.), length and hash value, the third thread information may include the address (such as start address, etc.), length and hash value of the third code corresponding to the third thread. The first thread, the second thread and the third thread can be regarded as the daemon process of the driver. In one example, the code of the first thread, the second thread and the third thread may be integrated into the code of the driver.

在一种可能的实现方式中,确定出第一线程信息、第二线程信息及第三线程信息后,可执行步骤S130,启动第一线程、第二线程及第三线程。在一个示例中,第一线程、第二线程及第三线程可由驱动程序来启动。In a possible implementation manner, after the first thread information, the second thread information, and the third thread information are determined, step S130 may be executed to start the first thread, the second thread, and the third thread. In one example, the first thread, the second thread, and the third thread can be started by a driver.

在一种可能的实现方式中,启动第一线程、第二线程及第三线程后,可执行步骤S140,根据关键信息、第一线程信息、第二线程信息及第三线程信息,第一线程对第二线程、第二线程对第三线程和驱动程序、及第三线程对第一线程和驱动程序进行守护。In a possible implementation, after starting the first thread, the second thread, and the third thread, step S140 may be executed, and according to the key information, the first thread information, the second thread information, and the third thread information, the first thread The second thread is guarded, the second thread is guarded against the third thread and the driver, and the third thread is guarded against the first thread and the driver.

其中,第二线程及第三线程可分别对驱动程序的不同内容进行守护。例如,第二线程对驱动程序的回调函数表、派遣函数表进行守护,第三线程对驱动程序的回调函数进行守护;或者,第二线程对驱动程序的回调函数进行守护,第三线程对驱动程序的回调函数表、派遣函数表进行守护;或者,第二线程对的回调函数表、回调函数进行守护,第三线程对驱动程序的派遣函数表进行守护。Wherein, the second thread and the third thread can respectively guard different contents of the driver. For example, the second thread guards the callback function table and dispatch function table of the driver, and the third thread guards the callback function of the driver; or, the second thread guards the callback function of the driver, and the third thread guards the driver's callback function. The callback function table and the dispatch function table of the program are guarded; or, the second thread guards the callback function table and the callback function, and the third thread guards the driver's dispatch function table.

需要说明的是,本领域技术人员可根据实际情况确定第二线程、第三线程分别守护的驱动程序的具体内容,本公开对此不作具体限制。It should be noted that those skilled in the art can determine the specific content of the driver programs guarded by the second thread and the third thread respectively according to the actual situation, which is not specifically limited in the present disclosure.

在一种可能的实现方式中,第一线程对第二线程进行守护时,可检查第二线程是否被劫持(例如被挂钩子或被打补丁),如果第二线程被劫持,则根据第二线程信息,对第二线程对应的第二代码进行修复;如果第二线程未被劫持,则检查第二线程是否退出,如果第二线程已退出,则重新启动第二线程;如果第二线程未退出,则第一线程休眠(sleep)预设时长(例如15ms、20ms等)后,开始执行下一次守护。In a possible implementation, when the first thread guards the second thread, it can check whether the second thread is hijacked (such as being hooked or patched), and if the second thread is hijacked, then according to the second thread Thread information, repair the second code corresponding to the second thread; if the second thread is not hijacked, check whether the second thread exits, if the second thread has exited, restart the second thread; if the second thread is not Exit, the first thread sleeps for a preset period of time (such as 15ms, 20ms, etc.), and then starts to execute the next guard.

在一种可能的实现方式中,假设第二线程对驱动程序的回调函数表、派遣函数表进行守护,第二线程对第三线程及驱动程序进行守护时,可检查驱动程序的回调函数表、派遣函数表是否被修改,如果驱动程序的回调函数表或派遣函数表被修改,则根据关键信息中的回调函数表信息或派遣函数表信息,对驱动程序的回调函数表或派遣函数表进行修复。In a possible implementation, assuming that the second thread guards the driver's callback function table and dispatch function table, when the second thread guards the third thread and the driver program, it can check the driver's callback function table, Whether the dispatch function table is modified, if the driver's callback function table or dispatch function table is modified, then according to the callback function table information or dispatch function table information in the key information, the driver's callback function table or dispatch function table is repaired .

如果驱动程序的回调函数表及派遣函数表未被修改,第二线程可检查第三线程是否被劫持,如果第三线程被劫持,则根据第三线程信息,对第三线程对应的第三代码进行修复。如果第三线程未被劫持,则检查第三线程是否退出,如果第三线程已退出,则重新启动第三线程。如果第三线程未退出,则第二线程休眠(sleep)预设时长(例如15ms、20ms等)后,开始执行下一次守护。If the callback function table and the dispatch function table of the driver are not modified, the second thread can check whether the third thread is hijacked, and if the third thread is hijacked, then according to the third thread information, the third code corresponding to the third thread Make repairs. If the 3rd thread is not hijacked, then check whether the 3rd thread exits, if the 3rd thread exits, then restart the 3rd thread. If the third thread does not exit, the second thread sleeps (sleep) for a preset period of time (for example, 15ms, 20ms, etc.), and then starts to execute the next guard.

在一种可能的实现方式中,假设第三线程对驱动程序的回调函数进行守护,第三线程对第一线程及驱动程序进行守护时,可检查驱动程序的回调函数否被修改,如果驱动程序的回调函数被修改,则根据关键信息中的回调函数信息,对驱动程序的回调函数进行修复。In a possible implementation, assuming that the third thread guards the callback function of the driver, when the third thread guards the first thread and the driver, it can check whether the callback function of the driver has been modified. If the driver If the callback function of the driver is modified, the callback function of the driver is repaired according to the callback function information in the key information.

如果驱动程序的回调函数未被修改,第三线程可检查第一线程是否被劫持,如果第一线程被劫持,则根据第一线程信息,对第一线程对应的第一代码进行修复。如果第一线程未被劫持,则检查第一线程是否退出,如果第一线程已退出,则重启启动第一线程。如果第一线程未退出,则第三线程休眠(sleep)预设时长(例如15ms、20ms等)后,开始执行下一次守护。If the callback function of the driver program has not been modified, the third thread can check whether the first thread is hijacked, and if the first thread is hijacked, repair the first code corresponding to the first thread according to the information of the first thread. If the first thread is not hijacked, then check whether the first thread exits, if the first thread has exited, restart the first thread. If the first thread does not exit, the third thread sleeps (sleep) for a preset period of time (for example, 15ms, 20ms, etc.), and then starts to execute the next guard.

图2示出根据本公开一实施例的驱动程序防护方法的示意图。如图2所示,第一线程210对第二线程220进行守护,第二线程220对第三线程230及驱动程序240的派遣函数表241、回调函数表242进行守护,第三线程230对第一线程210及驱动程序240的回调函数243进行守护。Fig. 2 shows a schematic diagram of a driver protection method according to an embodiment of the present disclosure. As shown in Figure 2, the first thread 210 guards the second thread 220, the second thread 220 guards the dispatch function table 241 and the callback function table 242 of the third thread 230 and the driver 240, and the third thread 230 guards the third thread 230 and the dispatch function table 241 of the driver 240. A thread 210 and a callback function 243 of the driver 240 are guarded.

如图2所示,第一线程210、第二线程220、第三线程230以环形方式,对驱动程序240进行守护,这样,在第一线程210、第二线程220、第三线程230中的任意一个或任意两个出现异常(被劫持或退出)的情况下,也能通过运行正常的线程进行快速恢复,从而使得对驱动程序240的防护不易被破坏,提高防护效果。As shown in Figure 2, the first thread 210, the second thread 220, the third thread 230 guard the driver 240 in a circular manner, like this, in the first thread 210, the second thread 220, the third thread 230 In the case of any one or any two abnormalities (hijacked or exited), it can also be quickly recovered by running normal threads, so that the protection of the driver 240 is not easy to be destroyed, and the protection effect is improved.

例如,假设第一线程210、第二线程220均出现异常,已退出,第三线程230运行正常,该情况下,第三线程230对第一线程210进行守护时,会重新启动第一线程210,第一线程210启动后,对第二线程220进行守护时,会重新启动第二线程220,从而恢复第一线程210、第二线程220、第三线程230对驱动程序240的环形守护。For example, assuming that both the first thread 210 and the second thread 220 are abnormal and have exited, and the third thread 230 is running normally, in this case, when the third thread 230 guards the first thread 210, it will restart the first thread 210 After the first thread 210 is started, when the second thread 220 is guarded, the second thread 220 will be restarted, thereby restoring the circular guarding of the driver 240 by the first thread 210, the second thread 220, and the third thread 230.

本公开实施例的驱动程序防护方法,能够在硬件设备的驱动程序载入内存后,确定驱动程序的关键信息,以及确定第一线程信息、第二线程信息、第三线程信息,然后启动第一线程、第二线程及第三线程,启动成功后,根据关键信息、第一线程信息、第二线程信息及第三线程信息,第一线程对第二线程、第二线程对第三线程和驱动程序、及第三线程对第一线程和驱动程序进行守护,从而能够通过第一线程、第二线程及第三线程,以环形方式,对驱动程序进行守护,防止驱动程序被劫持,进而提高驱动程序的安全性。The driver protection method of the embodiment of the present disclosure can determine the key information of the driver after the driver of the hardware device is loaded into the memory, and determine the first thread information, the second thread information, and the third thread information, and then start the first thread, the second thread and the third thread, after the startup is successful, according to the key information, the first thread information, the second thread information and the third thread information, the first thread to the second thread, the second thread to the third thread and the driver The program and the third thread guard the first thread and the driver, so that the driver can be guarded in a circular manner through the first thread, the second thread and the third thread, so as to prevent the driver from being hijacked and improve the driver performance. program security.

在一种可能的实现方式中,在驱动程序载入内存开始运行后,驱动程序可将硬盘上的原始的驱动程序在内存中进行备份,得到驱动映像。也就是说,驱动映像为硬盘上的原始的驱动程序在内存中的备份。在驱动程序防护过程中,驱动映像可以作为驱动程序比对或修复的参考文件。In a possible implementation manner, after the driver program is loaded into the memory and starts running, the driver program can back up the original driver program on the hard disk in the memory to obtain a driver image. That is to say, the driver image is an in-memory backup of the original driver on the hard disk. During the driver protection process, the driver image can be used as a reference file for driver comparison or repair.

在一种可能的实现方式中,步骤S110可包括:在所述驱动程序载入内存后,检查所述驱动程序在加载过程中是否被修改;在所述驱动程序在加载过程中未被修改的情况下,确定所述驱动程序的关键信息。In a possible implementation, step S110 may include: after the driver is loaded into memory, check whether the driver is modified during the loading process; case, identify key information about the driver.

在一种可能的实现方式中,在操作系统将驱动程序载入内存后,可首先检查驱动程序在加载过程中是否被修改,例如,可通过硬盘上的原始的驱动程序与载入内存的驱动程序的比对,来检查驱动程序加载过程中是否被修改,或者,通过驱动映像与载入内存的驱动程序的比对,来检查驱动程序在加载过程中是否被修改。在驱动程序在加载过程中未被修改的情况下,再确定驱动程序的关键信息。In a possible implementation, after the operating system loads the driver into the memory, it can first check whether the driver has been modified during the loading process. For example, the original driver on the hard disk and the driver loaded into the memory can be Compare the program to check whether the driver is modified during the loading process, or check whether the driver is modified during the loading process by comparing the driver image with the driver loaded into the memory. In the case that the driver has not been modified during the loading process, then determine the key information of the driver.

通过这种方式,能够在驱动程序载入内存后,检查驱动程序在加载过程中是否被修改,并在驱动程序在加载过程中未被修改的情况下,确定驱动程序的关键信息,从而能够防止驱动程序在加载过程中被拦截或被破坏,提高关键信息的准确性。In this way, after the driver is loaded into memory, it is possible to check whether the driver has been modified during the loading process, and determine the key information of the driver if the driver has not been modified during the loading process, thereby preventing Drivers are intercepted or corrupted during loading, improving the accuracy of critical information.

在一种可能的实现方式中,所述检查所述驱动程序在加载过程中是否被修改,可包括:在所述驱动程序载入内存后,对所述驱动程序进行校验,所述校验包括哈希校验、证书签名校验中的至少一种;在校验通过的情况下,对所述驱动程序进行对齐及重定位处理;根据驱动映像,判断所述驱动程序在加载过程中是否被修改。In a possible implementation manner, the checking whether the driver program is modified during the loading process may include: after the driver program is loaded into the memory, verifying the driver program, the verifying Including at least one of hash verification and certificate signature verification; in the case of passing the verification, performing alignment and relocation processing on the driver; judging whether the driver is loaded during the loading process according to the driver image modified.

在一种可能的实现方式中,检查驱动程序在加载过程中是否被修改时,可首先对驱动程序进行校验。由于操作系统将驱动程序载入内存后,驱动程序开始运行,这里的对驱动程序的校验可以看作是驱动程序的自校验。对驱动程序的校验可包括哈希校验、证书签名校验中的至少一种。例如,在校验包括哈希校验及证书签名校验时,可分别对驱动程序进行哈希校验及证书签名校验,在两种校验都通过的情况下,可认为驱动程序校验通过,否则可认为驱动程序校验未通过。In a possible implementation manner, when checking whether the driver is modified during the loading process, the driver may first be verified. Since the driver starts to run after the operating system loads the driver into the memory, the verification of the driver here can be regarded as the self-verification of the driver. The verification of the driver may include at least one of hash verification and certificate signature verification. For example, when verification includes hash verification and certificate signature verification, hash verification and certificate signature verification can be performed on the driver respectively. Pass, otherwise it can be considered that the driver verification has not passed.

其中,哈希校验可例如:通过预设的哈希算法(例如安全散列算法256(SecureHash Algorithm 256,SHA256)等),计算载入内存的驱动程序的哈希值,并在载入内存的驱动程序的哈希值与驱动程序的预设哈希值相同的情况下,认为哈希校验通过,否则认为哈希校验失败。证书签名校验可用于对驱动程序的当前证书的相关机构、摘要算法、加解密算法等进行校验,可通过现有的相关技术对驱动程序进行证书签名验证。需要说明的是,本公开对具体的哈希算法、证书签名校验的具体方式均不作限制。通过哈希校验、证书签名校验中的至少一种,对载入内存的驱动程序进行校验,能够防止载入内存的驱动程序被其他恶意驱动替换。Wherein, the hash verification can be, for example: calculate the hash value of the driver program loaded into the memory through a preset hash algorithm (such as Secure Hash Algorithm 256 (SHA256), etc.), and load it into the memory If the hash value of the driver is the same as the preset hash value of the driver, the hash verification is considered to pass, otherwise, the hash verification is considered to fail. The certificate signature verification can be used to verify the relevant organization, digest algorithm, encryption and decryption algorithm, etc. of the current certificate of the driver, and the certificate signature verification of the driver can be performed through the existing related technologies. It should be noted that the present disclosure does not limit the specific hash algorithm and the specific method of certificate signature verification. The driver program loaded into memory is verified by at least one of hash verification and certificate signature verification, which can prevent the driver program loaded into memory from being replaced by other malicious drivers.

在驱动程序校验未通过的情况下,可向用户发送提示信息,提示信息可例如“驱动程序校验失败”、“驱动程序发生错误”等,还可提示用户进行相关处理,例如“请重新安装驱动程序”、“请更新驱动程序”等。本公开对提示信息的具体内容不作限制。In the case that the driver program verification fails, a prompt message can be sent to the user, such as "driver program verification failed", "driver program error", etc., and the user can also be prompted to deal with it, such as "please try again. Install the driver", "Please update the driver", etc. The present disclosure does not limit the specific content of the prompt information.

在驱动程序校验通过的情况下,可对载入内存的驱动程序进行对齐处理(从硬盘到内存的对齐)及重定位处理。在驱动程序存在导入表或导出表的情况下,还需要对导入表或导出表进行修复。When the driver program is verified and passed, the driver program loaded into the memory can be aligned (aligned from the hard disk to the memory) and relocated. Import or export tables also need to be repaired if they exist for the driver.

在一种可能的实现方式中,对驱动程序进行对齐及重定位处理后,可根据驱动映像,判断驱动程序在加载过程中是否被修改。在一个示例中,可通过将驱动映像与载入内存的驱动程序直接进行对比的方式,判断驱动程序在加载过程中是否被修改。在另一个示例中,可分别计算驱动映像的哈希值及载入内存的驱动程序的哈希值,然后通过哈希值比对的方式,判断驱动程序在加载过程中是否被修改。In a possible implementation manner, after the driver program is aligned and relocated, it can be determined whether the driver program has been modified during the loading process according to the driver image. In one example, it may be determined whether the driver is modified during loading by directly comparing the driver image with the driver loaded into memory. In another example, the hash value of the driver image and the hash value of the driver program loaded into the memory can be calculated separately, and then it is determined whether the driver program has been modified during the loading process by comparing the hash values.

在一种可能的实现方式中,根据驱动映像判断驱动程序在加载过程中是否被修改时,可首先通过预设的哈希算法,分别计算驱动映像的哈希值及载入内存的驱动程序的哈希值,然后判断驱动映像的哈希值与载入内存的驱动程序的哈希值是否相同。在两者的哈希值相同的情况下,可确定驱动程序在加载过程中未被修改;在两者的哈希值不同的情况下,可确定驱动程序在加载过程中已被修改。其中,计算驱动映像的哈希值时,可计算整个驱动映像的哈希值,也可以计算驱动映像的代码区、数据区等关键区域的哈希值;相应地,计算载入内存的驱动程序的哈希值时,可计算整个驱动程序的哈希值,也可以计算驱动程序的代码区、数据区等关键区域的哈希值,本公开对此不作限制。通过这种方式,能够快速对驱动程序在加载过程中是否被修改进行判断,从而提高处理效率。In a possible implementation, when judging whether the driver is modified during the loading process according to the driver image, the hash value of the driver image and the hash value of the driver loaded into the memory can be calculated respectively through a preset hash algorithm. hash value, and then determine whether the hash value of the driver image is the same as the hash value of the driver loaded into memory. If the two hash values are the same, it can be determined that the driver has not been modified during the loading process; if the two hash values are different, it can be determined that the driver has been modified during the loading process. Among them, when calculating the hash value of the driver image, the hash value of the entire driver image can be calculated, and the hash value of key areas such as the code area and data area of the driver image can also be calculated; correspondingly, the driver program loaded into the memory is calculated When the hash value is calculated, the hash value of the entire driver program can be calculated, and the hash value of key areas such as the code area and data area of the driver program can also be calculated, which is not limited in the present disclosure. In this way, it is possible to quickly judge whether the driver program has been modified during the loading process, thereby improving processing efficiency.

在一种可能的实现方式中,在驱动程序在加载过程中被修改的情况下,可根据驱动映像,对驱动程序进行修复,并在驱动程序修复完成后,再确定驱动程序的关键信息。通过这种方式,能够对在加载过程中被修改的驱动程序进行修复,并在驱动程序修复完成后再确定驱动程序的关键信息,从而提高关键信息的准确性。In a possible implementation manner, if the driver is modified during the loading process, the driver may be repaired according to the driver image, and key information of the driver may be determined after the driver is repaired. In this way, the driver program modified during the loading process can be repaired, and the key information of the driver program can be determined after the driver program is repaired, thereby improving the accuracy of the key information.

在本实施例中,检查驱动程序在加载过程中是否被修改时,首先在驱动程序载入内存后,对驱动程序进行校验,并在校验通过的情况下,对驱动程序进行对齐及重定位处理,然后根据驱动映像,判断驱动程序在加载过程中是否被修改。通过这种方式,能够快速且准确地检查驱动程序在加载过程中是否被修改,能够提高处理效率。In this embodiment, when checking whether the driver is modified during the loading process, firstly, after the driver is loaded into the memory, the driver is verified, and if the verification is passed, the driver is aligned and reset. Locating processing, and then judging whether the driver is modified during the loading process according to the driver image. In this way, it is possible to quickly and accurately check whether the driver is modified during the loading process, and the processing efficiency can be improved.

在一种可能的实现方式中,在驱动程序的关键信息包括回调函数表信息的情况下,在确定驱动程序的关键信息时,可获取驱动程序中的回调函数表,并确定回调函数表的名称、地址、长度,以及通过预设的哈希算法计算回调函数表的哈希值,然后根据回调函数表的名称、地址、长度及哈希值,确定驱动函数的回调函数表信息。In a possible implementation, when the key information of the driver includes callback function table information, when determining the key information of the driver, the callback function table in the driver can be obtained and the name of the callback function table can be determined , address, length, and calculate the hash value of the callback function table through a preset hash algorithm, and then determine the callback function table information of the driving function according to the name, address, length, and hash value of the callback function table.

在一种可能的实现方式中,在驱动程序的关键信息包括派遣函数表信息的情况下,在确定驱动程序的关键信息时,可获取驱动程序中的派遣函数表,并确定派遣函数表的名称、地址、长度,以及通过预设的哈希算法计算派遣函数表的哈希值,然后根据派遣函数表的名称、地址、长度及哈希值,确定驱动函数的派遣函数表信息。In a possible implementation, when the key information of the driver includes dispatch function table information, when determining the key information of the driver, the dispatch function table in the driver can be obtained and the name of the dispatch function table can be determined , address, length, and calculate the hash value of the dispatch function table through a preset hash algorithm, and then determine the dispatch function table information of the driving function according to the name, address, length, and hash value of the dispatch function table.

在一种可能的实现方式中,在驱动程序的关键信息包括回调函数信息的情况下,在确定驱动程序的关键信息时,对于驱动程序中的任一回调函数,可确定该回调函数的名称、地址、长度,以及通过预设的哈希算法计算该回调函数的哈希值,然后根据所有回调函数的名称、地址、长度及哈希值,确定驱动程序的回调函数信息。In a possible implementation, when the key information of the driver includes callback function information, when determining the key information of the driver, for any callback function in the driver, the name, The address, length, and the hash value of the callback function are calculated through a preset hash algorithm, and then the callback function information of the driver is determined according to the name, address, length, and hash value of all callback functions.

在一种可能的实现方式中,确定出驱动程序的回调函数信息后,可通过自定义的回调注册函数,对驱动程序的回调函数进行注册。例如,在操作系统为Windows操作系统、硬件设备为显卡时,确定出显卡驱动程序的回调函数信息后,可通过自定义的回调注册函数,将显卡驱动程序的回调函数注册给dxgkrnl图形内核子系统,完成显卡驱动程序的回调函数的注册工作。通过自定义的回调注册函数,对驱动程序的回调函数进行注册,能够避开恶意程序在回调函数注册过程中的拦截或破坏,从而提高驱动程序的安全性。In a possible implementation manner, after determining the callback function information of the driver, the callback function of the driver may be registered through a custom callback registration function. For example, when the operating system is a Windows operating system and the hardware device is a graphics card, after determining the callback function information of the graphics card driver, the callback function of the graphics card driver can be registered with the dxgkrnl graphics kernel subsystem through a self-defined callback registration function , to complete the registration of the callback function of the graphics card driver. Registering the callback function of the driver through the self-defined callback registration function can avoid the interception or destruction of malicious programs during the callback function registration process, thereby improving the security of the driver.

在一种可能的实现方式中,所述方法还包括:将所述关键信息、所述第一线程信息、所述第二线程信息及所述第三线程信息,存储至预设的存储区域,所述存储区域为仅允许写入一次的存储区域。In a possible implementation manner, the method further includes: storing the key information, the first thread information, the second thread information, and the third thread information in a preset storage area, The storage area is a storage area that only allows writing once.

其中,预设的存储区域为一块专门设置的、被驱动程序信任的存储区域(TrustZone)。在硬件设备正常使用过程中,该存储区域只允许写入一次,但可以读取多次。该存储区域只有在驱动程序升级、驱动程序重装、或者电子设备重启的情况下才可以重新写入。Wherein, the preset storage area is a specially set storage area (TrustZone) trusted by the driver. During normal use of the hardware device, this storage area can only be written once, but can be read multiple times. The storage area can only be rewritten when the driver is upgraded, the driver is reinstalled, or the electronic device is restarted.

在一种可能的实现方式中,预设的存储区域可位于硬件设备的内存或集成在设备的存储卡中。例如,在硬件设备为显卡的情况下,预设的存储区域可以位于显存中,也可以位于显卡的内置储存卡中。本领域技术人员可根据实际情况确定该存储区域的具体位置,本公开对此不作限制。In a possible implementation manner, the preset storage area may be located in the internal memory of the hardware device or integrated in the memory card of the device. For example, in the case that the hardware device is a graphics card, the preset storage area may be located in the video memory or in a built-in storage card of the graphics card. Those skilled in the art can determine the specific location of the storage area according to actual conditions, which is not limited in the present disclosure.

在一种可能的实现方式中,将关键信息、第一线程信息、第二线程信息及第三线程信息存储至预设的存储区域时,还可对其进行加密处理,从而提高关键信息、第一线程信息、第二线程信息及第三线程信息的安全性。其中,加密处理时使用的加密算法可根据实际情况进行设置,本公开对此不作限制。In a possible implementation manner, when storing the key information, first thread information, second thread information, and third thread information in a preset storage area, it can also be encrypted, thereby improving the key information, the second thread information The security of the first thread information, the second thread information and the third thread information. Wherein, the encryption algorithm used in the encryption processing can be set according to the actual situation, which is not limited in the present disclosure.

本实施例中,将关键信息、第一线程信息、第二线程信息及第三线程信息写入预设的存储区域,能够防止关键信息、第一线程信息、第二线程信息及第三线程信息被恶意程序篡改,从而能够对关键信息、第一线程信息、第二线程信息及第三线程信息进行保护,提高其安全性。In this embodiment, writing the key information, the first thread information, the second thread information and the third thread information into the preset storage area can prevent the key information, the first thread information, the second thread information and the third thread information from being Tampered by malicious programs, so that key information, first thread information, second thread information and third thread information can be protected to improve its security.

需要说明的是,上述确定驱动程序的关键信息、确定第一线程信息、第二线程信息及第三线程信息、对驱动程序的回调函数进行注册、将关键信息、第一线程信息、第二线程信息及第三线程信息存储至预设的存储区域等相关操作,可在硬件设备的初始化流程中实现。It should be noted that the key information of the above-mentioned driver is determined, the first thread information, the second thread information and the third thread information are determined, the callback function of the driver is registered, the key information, the first thread information, the second thread Related operations such as storing the information and the information of the third thread into a preset storage area can be implemented in the initialization process of the hardware device.

在一种可能的实现方式中,步骤S140可包括:所述第一线程根据所述第二线程信息,对所述第二线程进行守护;所述第二线程根据所述关键信息及所述第三线程信息,对所述驱动程序的回调函数表、派遣函数表及所述第三线程进行守护;所述第三线程根据所述关键信息及所述第一线程信息,对所述驱动程序的回调函数及所述第一线程进行守护。In a possible implementation manner, step S140 may include: the first thread guarding the second thread according to the second thread information; the second thread guarding the second thread according to the key information and the first thread Three thread information, guarding the callback function table, the dispatch function table and the third thread of the driver; the third thread, according to the key information and the first thread information, guards the driver's The callback function and the first thread are guarded.

也就是说,第一线程可将第二线程信息作为守护依据,来对第二线程进行守护;第二线程可将驱动程序的关键信息及第三线程信息作为守护依据,来对驱动程序的回调函数表、派遣函数表及第三线程进行守护;第三线程可将驱动程序的关键信息及第一线程信息作为守护依据,对驱动程序的回调函数及第一线程进行守护。通过这种方式,能够提高驱动程序防护过程中的处理效率。That is to say, the first thread can guard the second thread by using the information of the second thread as the guarding basis; the second thread can use the key information of the driver program and the third thread information as the guarding basis to call back the driver The function table, the dispatch function table and the third thread are guarded; the third thread can use the key information of the driver program and the information of the first thread as the basis for guarding, and guard the callback function of the driver program and the first thread. In this way, the processing efficiency in the driver protection process can be improved.

在一种可能的实现方式中,所述第一线程根据所述第二线程信息,对所述第二线程进行守护,包括:所述第一线程根据所述第二线程信息中的地址及长度,计算所述第二代码的哈希值;在所述第二代码的哈希值与所述第二线程信息中的哈希值相同的情况下,所述第一线程检查所述第二线程是否退出;在所述第二线程未退出的情况下,所述第一线程休眠预设时长后,重新从下述步骤开始执行:所述第一线程根据所述第二线程信息中的地址及长度,计算所述第二代码的哈希值。In a possible implementation manner, the first thread guarding the second thread according to the second thread information includes: the first thread according to the address and length in the second thread information , calculate the hash value of the second code; in the case that the hash value of the second code is the same as the hash value in the second thread information, the first thread checks the second thread Whether to exit; in the case that the second thread does not exit, after the first thread sleeps for a preset period of time, it starts to execute again from the following steps: the first thread executes according to the address in the second thread information and length, calculating the hash value of the second code.

在一种可能的实现方式中,第一线程根据第二线程信息,对第二线程进行守护时,可首先根据第二线程信息中的地址及长度,计算第二代码的哈希值。具体可例如:第一线程可根据第二线程信息中的地址及长度(即第二代码的地址及长度),确定第二代码所在的第一区域,然后通过预设的哈希算法,计算第一区域中的第二代码的哈希值。In a possible implementation manner, when the first thread guards the second thread according to the second thread information, it may first calculate the hash value of the second code according to the address and length in the second thread information. Specifically, for example: the first thread can determine the first area where the second code is located according to the address and length in the second thread information (that is, the address and length of the second code), and then calculate the second code through a preset hash algorithm. A hash value of a second code in a zone.

然后可判断计算得到的第二代码的哈希值与第二线程信息中的哈希值(原始的第二代码的哈希值)是否相同,在计算得到的第二代码的哈希值与第二线程信息中的哈希值相同的情况下,第一线程认为第二线程未被劫持,可检查第二线程是否退出;在第二线程未退出的情况下,第一线程完成本次守护,休眠(sleep)预设时长(例如15ms、20ms等)后,开始执行下一次守护,即从步骤“所述第一线程根据所述第二线程信息中的地址及长度,计算所述第二代码的哈希值”开始重新执行。其中,预设时长的具体取值还可以为其他,例如10ms、25ms等。本领域技术人员可根据实际情况对预设时长的具体取值进行设置,本公开对此不作限制。Then it can be judged whether the calculated hash value of the second code is the same as the hash value in the second thread information (the original hash value of the second code). If the hash values in the information of the two threads are the same, the first thread thinks that the second thread has not been hijacked, and can check whether the second thread has exited; if the second thread has not exited, the first thread completes the guarding. After sleeping for a preset period of time (such as 15ms, 20ms, etc.), start to execute the next guard, that is, from the step "the first thread calculates the second code according to the address and length in the second thread information hash value" to start re-execution. Wherein, the specific value of the preset duration can also be other, such as 10ms, 25ms and so on. Those skilled in the art can set the specific value of the preset duration according to the actual situation, which is not limited in the present disclosure.

本实施例中,第一线程能够通过检查第二线程是否被劫持、第二线程是否退出,来实现对第二线程的守护,以便在第二线程被劫持或第二线程退出的情况下,对第二线程进行快速恢复。In this embodiment, the first thread can realize the guarding of the second thread by checking whether the second thread is hijacked or whether the second thread exits, so that when the second thread is hijacked or the second thread exits, the The second thread does fast recovery.

在一种可能的实现方式中,在计算得到的第二代码的哈希值与第二线程信息中的哈希值不同的情况下,可认为第二线程被劫持(例如被挂钩子或被打补丁),需对第二线程对应的第二代码进行修复,该情况下,第一线程可根据驱动映像、第二线程信息中的地址及长度,对第二代码进行修复。具体可例如:第一线程可根据第二线程信息中的地址及长度,从驱动映像中重新获取第二代码,并使用重新获取的第二代码,对第二线程对应的第二代码进行修复。通过这种方式,能够对被劫持的第二线程进行快速修复。In a possible implementation, if the calculated hash value of the second code is different from the hash value in the second thread information, it can be considered that the second thread is hijacked (for example, hooked or beaten) Patch), the second code corresponding to the second thread needs to be repaired. In this case, the first thread can repair the second code according to the driver image and the address and length in the second thread information. Specifically, for example: the first thread may reacquire the second code from the driver image according to the address and length in the second thread information, and use the reacquired second code to repair the second code corresponding to the second thread. In this way, a hijacked second thread can be quickly repaired.

需要说明的是,在上述对第二代码进行修复的过程中,可对内存总线上锁(lock),以防止修复过程中有其他并发操作(例如处理器取指等操作),导致电子设备出现异常(例如死机或蓝屏等),在修复完成后,内存总线的锁会自动解除。It should be noted that in the process of repairing the second code above, the memory bus can be locked (lock) to prevent other concurrent operations (such as operations such as processor instruction fetching) during the repair process, which may cause electronic equipment to malfunction. Abnormal (such as crash or blue screen, etc.), after the repair is completed, the lock of the memory bus will be automatically released.

在一种可能的实现方式中,在第二线程退出的情况下,第一线程重新启动第二线程。第二线程启动成功后,第一线程完成本次守护,休眠(sleep)预设时长(例如15ms、20ms等)后,开始执行下一次守护,即从步骤“所述第一线程根据所述第二线程信息中的地址及长度,计算所述第二代码的哈希值”开始重新执行。通过这种方式,能够对已退出的第二线程进行快速恢复。In a possible implementation manner, when the second thread exits, the first thread restarts the second thread. After the second thread starts successfully, the first thread completes this guarding, sleeps (sleep) for a preset period of time (such as 15ms, 20ms, etc.), and then starts to execute the next guarding, that is, from the step "the first thread according to the first thread address and length in the second thread information, calculate the hash value of the second code" and start re-executing. In this way, the exited second thread can be quickly resumed.

在一种可能的实现方式中,第一线程可记录第二线程修复次数、第二线程重启次数。例如,第一线程对第二线程对应的第二代码进行修复后,可将第二线程修复次数加1;第一线程重新启动第二线程后,可将第二线程重启次数加1。通过记录第二线程修复次数、第二线程重启次数,可便于后续对第二线程的运行情况进行分析,以发现驱动程序防护过程中的薄弱环节。In a possible implementation manner, the first thread may record the number of repair times of the second thread and the number of restart times of the second thread. For example, after the first thread repairs the second code corresponding to the second thread, the number of repairs of the second thread can be increased by 1; after the first thread restarts the second thread, the number of restarts of the second thread can be increased by 1. By recording the number of repair times of the second thread and the number of times of restart of the second thread, it is convenient to analyze the operation of the second thread later, so as to find weak links in the driver protection process.

图3示出根据本公开一实施例的第一线程守护过程的示意图。在本实施例中,第二线程信息存储在预设的存储区域中。Fig. 3 shows a schematic diagram of a first thread daemon process according to an embodiment of the present disclosure. In this embodiment, the second thread information is stored in a preset storage area.

如图3所示,第一线程对第二线程进行守护的过程,可包括以下步骤:As shown in Figure 3, the process that the first thread guards the second thread may include the following steps:

步骤S301,从预设的存储区域获取第二线程信息;Step S301, acquiring second thread information from a preset storage area;

步骤S302,根据第二线程信息中的地址及长度,计算第二代码的哈希值;Step S302, calculating the hash value of the second code according to the address and length in the second thread information;

步骤S303,判断计算得到的第二代码的哈希值与第二线程信息中的哈希值是否相同;Step S303, judging whether the calculated hash value of the second code is the same as the hash value in the second thread information;

在计算得到的第二代码的哈希值与第二线程信息中的哈希值相同的情况下,执行步骤S304,检查第二线程是否退出;In the case that the calculated hash value of the second code is the same as the hash value in the second thread information, perform step S304 to check whether the second thread exits;

在第二线程未退出的情况下,执行步骤S305,休眠预设时长;然后执行下一次守护,从步骤S301开始重启执行。In the case that the second thread does not exit, execute step S305 to sleep for a preset duration; then execute the next guard, and restart execution from step S301.

在计算得到的第二代码的哈希值与第二线程信息中的哈希值不相同的情况下,执行步骤S306,根据驱动映像、第二线程信息中的地址及长度,对第二代码进行修复;然后执行步骤S304。In the case that the calculated hash value of the second code is not the same as the hash value in the second thread information, step S306 is performed, and the second code is processed according to the drive image and the address and length in the second thread information. Repair; then execute step S304.

在第二线程退出的情况下,执行步骤S307,重新启动第二线程;然后执行步骤S305。In the case that the second thread exits, execute step S307 to restart the second thread; then execute step S305.

在一种可能的实现方式中,所述第二线程根据所述关键信息及所述第三线程信息,对所述驱动程序的回调函数表、派遣函数表及所述第三线程进行守护,包括:所述第二线程根据所述关键信息中的回调函数表信息及派遣函数表信息,对所述驱动程序的回调函数表及派遣函数表进行守护;所述第二线程根据所述第三线程信息,对所述第三线程进行守护。In a possible implementation, the second thread guards the driver's callback function table, dispatch function table, and the third thread according to the key information and the third thread information, including: : the second thread guards the callback function table and the dispatch function table of the driver according to the callback function table information and the dispatch function table information in the key information; the second thread guards the callback function table and the dispatch function table according to the third thread information, guarding the third thread.

也就是说,第二线程对驱动程序的回调函数表、派遣函数表及第三线程进行守护时,可将关键信息中的回调函数表信息及派遣函数表信息作为守护依据,对驱动程序的回调函数表、派遣函数表进行守护,以及将第三线程信息作为守护依据,对第三线程进行守护。通过这种方式,能够提高第二线程守护时的处理效率。That is to say, when the second thread guards the driver's callback function table, dispatch function table, and third thread, it can use the callback function table information and dispatch function table information in the key information as the basis for guarding, and the driver's callback The function table and dispatch function table are guarded, and the information of the third thread is used as a basis for guarding to guard the third thread. In this way, the processing efficiency when the second thread is guarding can be improved.

需要说明的是,第二线程对驱动程序的回调函数表、派遣函数表及第三线程进行守护时,可以先执行对回调函数表、派遣函数表的守护,再执行对第三线程的守护;也可以先执行对第三线程的守护,再执行对回调函数表、派遣函数表的守护;或者根据实际情况设置其他执行次序,本公开对此不作限制。It should be noted that when the second thread guards the driver's callback function table, dispatch function table, and third thread, it can first execute the guard of the callback function table and dispatch function table, and then execute the guard of the third thread; It is also possible to execute the guarding of the third thread first, and then execute the guarding of the callback function table and the dispatching function table; or set other execution orders according to the actual situation, which is not limited in this disclosure.

在一种可能的实现方式中,关键信息中的回调函数表信息可包括驱动程序的回调函数表的地址、长度及哈希值,关键信息中的派遣函数表信息可包括驱动程序的派遣函数表的地址、长度及哈希值;In a possible implementation, the callback function table information in the key information may include the address, length and hash value of the driver's callback function table, and the dispatch function table information in the key information may include the driver's dispatch function table address, length and hash value;

所述第二线程根据所述关键信息中的回调函数表信息及派遣函数表信息,对所述驱动程序的回调函数表及派遣函数表进行守护,可包括:所述第二线程根据所述回调函数表信息中的地址及长度,计算所述驱动程序的回调函数表的哈希值;在所述驱动程序的回调函数表的哈希值与所述回调函数表信息中的哈希值不同的情况下,所述第二线程根据驱动映像、所述回调函数表信息中的地址及长度,对所述驱动程序的回调函数表进行修复;所述第二线程根据所述派遣函数表信息中的地址及长度,计算所述驱动程序的派遣函数表的哈希值;在所述驱动程序的派遣函数表的哈希值与所述派遣函数表信息中的哈希值不同的情况下,所述第二线程根据驱动映像、所述派遣函数表信息中的地址及长度,对所述驱动程序的派遣函数表进行修复。The second thread guards the callback function table and the dispatch function table of the driver according to the callback function table information and the dispatch function table information in the key information, which may include: the second thread according to the callback address and length in the function table information, calculate the hash value of the callback function table of the driver; if the hash value of the callback function table of the driver is different from the hash value in the callback function table information In this case, the second thread repairs the callback function table of the driver according to the driver image, the address and the length in the callback function table information; the second thread repairs the callback function table of the driver according to the address and length, calculate the hash value of the dispatch function table of the driver; if the hash value of the dispatch function table of the driver is different from the hash value in the dispatch function table information, the The second thread repairs the dispatch function table of the driver according to the driver image, the address and the length in the dispatch function table information.

在一种可能的实现方式中,第二线程对驱动程序的回调函数表、派遣函数表进行守护时,可先执行对回调函数表的守护,再执行对派遣函数表的守护,也可以先执行对派遣函数表的守护,再执行对回调函数表的守护。下面将以先执行对回调函数表的守护再执行对派遣函数表的守护为例,对第二线程对驱动程序的回调函数表、派遣函数表的守护过程进行示例性地说明。In a possible implementation, when the second thread guards the callback function table and the dispatch function table of the driver, it can first execute the guard of the callback function table, and then execute the guard of the dispatch function table, or execute The guarding of the dispatch function table is followed by the guarding of the callback function table. In the following, taking the guarding of the callback function table first and then the dispatching function table as an example, the process of guarding the callback function table and the dispatching function table of the driver program by the second thread will be exemplarily described.

在一种可能的实现方式中,第二线程对驱动程序的回调函数表进行守护时,可首先根据回调函数表信息中的地址及长度,计算驱动程序的回调函数表的哈希值。具体可例如:第二线程可根据回调函数表信息中的地址及长度,确定驱动程序的回调函数表所在的第二区域,然后通过预设的哈希算法,计算第二区域中的回调函数表的哈希值。In a possible implementation manner, when the second thread guards the callback function table of the driver, it may first calculate the hash value of the callback function table of the driver according to the address and length in the callback function table information. Specifically, for example: the second thread can determine the second area where the callback function table of the driver is located according to the address and length in the callback function table information, and then calculate the callback function table in the second area through a preset hash algorithm hash value.

然后可判断计算得到驱动程序的回调函数表的哈希值与回调函数表信息中的哈希值(原始的回调函数表的哈希值)是否相同,在计算得到驱动程序的回调函数表的哈希值与回调函数表信息中的哈希值相同的情况下,可认为驱动程序的回调函数表未被劫持。Then it can be judged whether the calculated hash value of the callback function table of the driver is the same as the hash value in the callback function table information (the hash value of the original callback function table). If the hash value is the same as the hash value in the callback function table information, it can be considered that the callback function table of the driver has not been hijacked.

在计算得到驱动程序的回调函数表的哈希值与回调函数表信息中的哈希值不同的情况下,可认为驱动程序的回调函数表被劫持,需对驱动程序的回调函数表进行修复。该情况下,第二线程可根据驱动映像、回调函数表信息中的地址及长度,对驱动程序的回调函数表进行修复。具体可例如:第二线程可根据回调函数表信息中的地址及长度,从驱动映像中重新获取回调函数表,然后根据重新获取的回调函数表,通过逐项比对等方式,确定驱动程序的回调函数表中的不同项,并对不同项进行修复。If the calculated hash value of the callback function table of the driver is different from the hash value in the callback function table information, it can be considered that the callback function table of the driver has been hijacked, and the callback function table of the driver needs to be repaired. In this case, the second thread can repair the callback function table of the driver according to the driver image and the address and length in the callback function table information. Specifically, for example: the second thread can reacquire the callback function table from the driver image according to the address and length in the callback function table information, and then determine the driver's address by item by item comparison according to the reacquired callback function table. Calls back the different items in the function table and fixes the different items.

在一种可能的实现方式中,第二线程对驱动程序的派遣函数表进行守护时,可首先根据派遣函数表信息中的地址及长度,计算驱动程序的派遣函数表的哈希值。具体可例如:第二线程可根据派遣函数表信息中的地址及长度,确定驱动程序的派遣函数表所在的第三区域,然后通过预设的哈希算法,计算第三区域中的派遣函数表的哈希值。In a possible implementation manner, when the second thread guards the dispatch function table of the driver, it may first calculate the hash value of the dispatch function table of the driver according to the address and length in the dispatch function table information. Specifically, for example: the second thread can determine the third area where the driver's dispatch function table is located according to the address and length in the dispatch function table information, and then calculate the dispatch function table in the third area through a preset hash algorithm hash value.

然后可判断计算得到驱动程序的派遣函数表的哈希值与派遣函数表信息中的哈希值(原始的派遣函数表的哈希值)是否相同,在计算得到驱动程序的派遣函数表的哈希值与派遣函数表信息中的哈希值相同的情况下,可认为驱动程序的派遣函数表未被劫持。Then it can be judged whether the calculated hash value of the dispatch function table of the driver is the same as the hash value in the dispatch function table information (the hash value of the original dispatch function table). If the hash value is the same as the hash value in the dispatch function table information, it can be considered that the dispatch function table of the driver has not been hijacked.

在计算得到驱动程序的派遣函数表的哈希值与派遣函数表信息中的哈希值不同的情况下,可认为驱动程序的派遣函数表被劫持,需对驱动程序的派遣函数表进行修复。该情况下,第二线程可根据驱动映像、派遣函数表信息中的地址及长度,对驱动程序的派遣函数表进行修复。具体可例如:第二线程可根据派遣函数表信息中的地址及长度,从驱动映像中重新获取派遣函数表,然后根据重新获取的派遣函数表,通过逐项比对等方式,确定驱动程序的派遣函数表中的不同项,并对不同项进行修复。If the calculated hash value of the dispatch function table of the driver is different from the hash value in the dispatch function table information, it can be considered that the dispatch function table of the driver has been hijacked, and the dispatch function table of the driver needs to be repaired. In this case, the second thread can repair the dispatch function table of the driver according to the driver image, the address and the length in the dispatch function table information. Specifically, for example: the second thread can re-acquire the dispatch function table from the driver image according to the address and length in the dispatch function table information, and then determine the driver's address by item-by-item comparison based on the re-acquired dispatch function table. Dispatch and fix up the different entries in the function table.

通过这种方式,第二进程能够对驱动程序的回调函数表、派遣函数表进行守护,进而间接实现对驱动程序的回调函数、派遣函数的守护。In this way, the second process can guard the callback function table and dispatch function table of the driver, and then indirectly realize the guard of the callback function and dispatch function of the driver.

在一种可能的实现方式中,所述第二线程根据所述第三线程信息,对所述第三线程进行守护,可包括:所述第二线程根据所述第三线程信息中的地址及长度,计算所述第三代码的哈希值;在所述第三代码的哈希值与所述第三线程信息中的哈希值相同的情况下,所述第二线程检查所述第三线程是否退出;在所述第三线程未退出的情况下,所述第二线程休眠预设时长后,开始执行下一次守护。In a possible implementation manner, the second thread guarding the third thread according to the third thread information may include: the second thread according to the address and length, calculating the hash value of the third code; in the case that the hash value of the third code is the same as the hash value in the third thread information, the second thread checks the third Whether the thread exits; in the case that the third thread does not exit, the second thread starts to execute the next guard after the preset period of dormancy.

在一种可能的实现方式中,第二线程根据第三线程信息,对第三线程进行守护时,可首先根据第三线程信息中的地址及长度,计算第三代码的哈希值。具体可例如:第二线程可根据第三线程信息中的地址及长度(即第三代码的地址及长度),确定第三代码所在的第四区域,然后通过预设的哈希算法,计算第四区域中的第三代码的哈希值。In a possible implementation manner, when the second thread guards the third thread according to the third thread information, it may first calculate the hash value of the third code according to the address and length in the third thread information. Specifically, for example: the second thread can determine the fourth area where the third code is located according to the address and length in the information of the third thread (that is, the address and length of the third code), and then use a preset hash algorithm to calculate the fourth area. The hash value of the third code in the quad area.

然后可判断计算得到的第三代码的哈希值与第三线程信息中的哈希值(原始的第三代码的哈希值)是否相同,在计算得到的第三代码的哈希值与第三线程信息中的哈希值相同的情况下,第二线程认为第三线程未被劫持,可检查第三线程是否退出;在第三线程未退出的情况下,第二线程完成本次守护,休眠(sleep)预设时长(例如15ms、20ms等)后,开始执行下一次守护,即第二线程重新执行对驱动程序的回调函数表、派遣函数表及第三线程的守护。Then it can be judged whether the calculated hash value of the third code is the same as the hash value in the third thread information (the original hash value of the third code). When the hash values in the information of the three threads are the same, the second thread thinks that the third thread has not been hijacked, and can check whether the third thread has exited; if the third thread has not exited, the second thread completes the guarding. After sleeping for a preset period of time (such as 15ms, 20ms, etc.), the next guard is executed, that is, the second thread re-executes the guard of the driver's callback function table, dispatch function table and the third thread.

其中,预设时长的具体取值还可以为其他,例如10ms、25ms等。本领域技术人员可根据实际情况对预设时长的具体取值进行设置,本公开对此不作限制。Wherein, the specific value of the preset duration can also be other, such as 10ms, 25ms and so on. Those skilled in the art can set the specific value of the preset duration according to the actual situation, which is not limited in the present disclosure.

本实施例中,第二线程能够通过检查第三线程是否被劫持、第三线程是否退出,来实现对第三线程的守护,以便在第三线程被劫持或第三线程退出的情况下,对第三线程进行快速恢复。In this embodiment, the second thread can realize the guarding of the third thread by checking whether the third thread is hijacked or whether the third thread exits, so that when the third thread is hijacked or the third thread exits, The third thread does fast recovery.

在一种可能的实现方式中,在计算得到的第三代码的哈希值与第三线程信息中的哈希值不同的情况下,可认为第三线程被劫持(例如被挂钩子或被打补丁),需对第三线程对应的第三代码进行修复,该情况下,第二线程可根据驱动映像、第三线程信息中的地址及长度,对第三代码进行修复。具体可例如:第二线程可根据第三线程信息中的地址及长度,从驱动映像中重新获取第三代码,并使用重新获取的第三代码,对第三线程对应的第三代码进行修复。通过这种方式,能够对被劫持的第三线程进行快速修复。In a possible implementation, if the calculated hash value of the third code is different from the hash value in the third thread information, it can be considered that the third thread is hijacked (for example, hooked or beaten) Patch), the third code corresponding to the third thread needs to be repaired. In this case, the second thread can repair the third code according to the driver image and the address and length in the information of the third thread. Specifically, for example: the second thread may reacquire the third code from the driver image according to the address and length in the information of the third thread, and use the reacquired third code to repair the third code corresponding to the third thread. In this way, a hijacked third thread can be quickly repaired.

在一种可能的实现方式中,在第三线程退出的情况下,第二线程重新启动第三线程。第三线程启动成功后,第二线程完成本次守护,休眠(sleep)预设时长(例如15ms、20ms等)后,开始执行下一次守护。通过这种方式,能够对已退出的第三线程进行快速恢复。In a possible implementation manner, when the third thread exits, the second thread restarts the third thread. After the third thread starts successfully, the second thread completes this guarding, sleeps for a preset period of time (such as 15ms, 20ms, etc.), and then starts to execute the next guarding. In this way, the exited third thread can be quickly resumed.

需要说明的是,在上述对第三代码、驱动程序的回调函数表、派遣函数表进行修复的过程中,可对内存总线上锁(lock),以防止修复过程中有其他并发操作(例如处理器取指等操作),导致电子设备出现异常(例如死机或蓝屏等),在修复完成后,内存总线的锁会自动解除。It should be noted that, in the process of repairing the third code, the callback function table of the driver, and the dispatch function table above, the memory bus can be locked (locked) to prevent other concurrent operations during the repair process (such as processing Instruction fetching and other operations), resulting in abnormal electronic equipment (such as crash or blue screen, etc.), after the repair is completed, the lock of the memory bus will be automatically released.

在一种可能的实现方式中,第二线程可记录回调函数表修复次数、派遣函数表修复次数、第三线程修复次数、第三线程重启次数。例如,第二线程对驱动程序的回调函数表进行修复后,可将回调函数表修复次数加1;第二线程对驱动程序的派遣函数表进行修复后,可将派遣函数表修复次数加1;第二线程对第三线程对应的第三代码进行修复后,可将第三线程修复次数加1;第二线程重新启动第三线程后,可将第三线程重启次数加1。In a possible implementation manner, the second thread may record the number of callback function table repairs, dispatch function table repair times, third thread repair times, and third thread restart times. For example, after the second thread repairs the callback function table of the driver, the number of repairs to the callback function table can be added by 1; after the second thread repairs the dispatch function table of the driver, the number of repairs of the dispatch function table can be added by 1; After the second thread repairs the third code corresponding to the third thread, the number of repairs of the third thread can be increased by 1; after the second thread restarts the third thread, the number of restarts of the third thread can be increased by 1.

通过记录回调函数表修复次数、派遣函数表修复次数、第三线程修复次数、第三线程重启次数,可便于后续对驱动程序运行过程中的回调函数表、派遣函数表的情况、以及第三线程的运行情况进行分析,以发现驱动程序防护过程中的薄弱环节。By recording the number of callback function table repairs, the number of dispatch function table repairs, the number of third thread repairs, and the number of restarts of the third thread, it is convenient to follow up on the callback function table, dispatch function table, and third thread during the running of the driver. Analyze the operation of the driver to find the weak link in the driver protection process.

图4示出根据本公开一实施例的第二线程守护过程的示意图。在本实施例中,第三线程信息及驱动程序的关键信息存储在预设的存储区域中。第二线程在守护过程中,先执行对回调函数表的守护,再执行对派遣函数表、第三线程的守护。Fig. 4 shows a schematic diagram of a second thread daemon process according to an embodiment of the present disclosure. In this embodiment, the third thread information and the key information of the driver are stored in a preset storage area. During the guarding process, the second thread first executes the guarding of the callback function table, and then executes the guarding of the dispatching function table and the third thread.

如图4所示,第二线程对回调函数表、派遣函数表及第三线程进行守护的过程,可包括以下步骤:As shown in Figure 4, the process that the second thread guards the callback function table, the dispatch function table and the third thread may include the following steps:

步骤S401,从预设的存储区域获取第三线程信息、关键信息中的回调函数表信息及派遣函数表信息;Step S401, obtaining third thread information, callback function table information and dispatch function table information in key information from a preset storage area;

步骤S402,根据回调函数表信息中的地址及长度,计算驱动程序的回调函数表的哈希值;Step S402, calculating the hash value of the callback function table of the driver according to the address and length in the callback function table information;

步骤S403,判断计算得到的回调函数表的哈希值与回调函数表信息中的哈希值是否相同;Step S403, judging whether the calculated hash value of the callback function table is the same as the hash value in the callback function table information;

在计算得到的回调函数表的哈希值与回调函数表信息中的哈希值相同的情况下,执行步骤S404;根据派遣函数表信息中的地址及长度,计算驱动程序的派遣函数表的哈希值;When the calculated hash value of the callback function table is the same as the hash value in the callback function table information, execute step S404; calculate the hash of the dispatch function table of the driver according to the address and length in the dispatch function table information Greek value;

步骤S405,判断计算得到的派遣函数表的哈希值与派遣函数表信息中的哈希值是否相同;Step S405, judging whether the calculated hash value of the dispatch function table is the same as the hash value in the dispatch function table information;

在计算得到的派遣函数表的哈希值与派遣函数表信息中的哈希值相同的情况下,执行步骤S406:根据第三线程信息中的地址及长度,计算第三代码的哈希值;In the case that the calculated hash value of the dispatch function table is the same as the hash value in the dispatch function table information, perform step S406: calculate the hash value of the third code according to the address and length in the third thread information;

步骤S407,判断计算得到的第三代码的哈希值与第三线程信息中的哈希值是否相同;Step S407, judging whether the calculated hash value of the third code is the same as the hash value in the third thread information;

在计算得到的第三代码的哈希值与第三线程信息中的哈希值相同的情况下,执行步骤S408,检查第三线程是否退出;In the case that the calculated hash value of the third code is the same as the hash value in the information of the third thread, perform step S408 to check whether the third thread exits;

在第三线程未退出的情况下,执行步骤S409,休眠预设时长;然后执行下一次守护,从步骤S401开始重启执行。In the case that the third thread does not exit, execute step S409 to sleep for a preset duration; then execute the next guard, and restart execution from step S401.

在计算得到的回调函数表的哈希值与回调函数表信息中的哈希值不同的情况下,执行步骤S410,根据驱动映像、回调函数表信息中的地址及长度,对驱动程序的回调函数表进行修复,然后执行步骤S404。In the case that the hash value of the calculated callback function table is different from the hash value in the callback function table information, step S410 is performed, and the callback function of the driver is set according to the address and length in the driver image and the callback function table information. The table is repaired, and then step S404 is performed.

在计算得到的派遣函数表的哈希值与派遣函数表信息中的哈希值不同的情况下,执行步骤S411,根据驱动映像、派遣函数表信息中的地址及长度,对驱动程序的派遣函数表进行修复,然后执行步骤S406。In the case that the calculated hash value of the dispatch function table is different from the hash value in the dispatch function table information, execute step S411, according to the address and length in the driver image and dispatch function table information, the dispatch function of the driver The table is repaired, and then step S406 is executed.

在计算得到的第三代码的哈希值与第三线程信息中的哈希值不同的情况下,执行步骤S412,根据驱动映像、第三线程信息中的地址及长度,对第三代码进行修复;然后执行步骤S408。In the case that the calculated hash value of the third code is different from the hash value in the third thread information, perform step S412, and repair the third code according to the driver image and the address and length in the third thread information ; Then execute step S408.

在第三线程退出的情况下,执行步骤S413,重新启动第三线程;然后执行步骤S409。In the case that the third thread exits, execute step S413 to restart the third thread; then execute step S409.

在一种可能的实现方式中,所述第三线程根据所述关键信息及所述第一线程信息,对所述驱动程序的回调函数及所述第一线程进行守护,包括:所述第三线程根据所述关键信息中的回调函数信息,对所述驱动程序的回调函数进行守护;所述第三线程根据所述第一线程信息,对所述第一线程进行守护。In a possible implementation manner, the third thread guards the callback function of the driver and the first thread according to the key information and the first thread information, including: the third thread The thread guards the callback function of the driver according to the callback function information in the key information; the third thread guards the first thread according to the first thread information.

也就是说,第三线程对驱动程序的回调函数及第一线程进行守护时,可将关键信息中的回调函数信息作为守护依据,对驱动程序的回调函数进行守护,以及将第一线程信息作为守护依据,对第一线程进行守护。通过这种方式,能够提高第三线程守护时的处理效率。That is to say, when the third thread guards the callback function of the driver program and the first thread, it can use the callback function information in the key information as the basis for guarding, guard the callback function of the driver program, and use the information of the first thread as the basis for guarding. Guard basis, guard the first thread. In this way, the processing efficiency when the third thread is guarding can be improved.

需要说明的是,第三线程对驱动程序的回调函数及第一线程进行守护时,可以先执行对驱动程序的回调函数的守护,再执行对第一线程的守护;也可以先执行对第一线程的守护,再执行对驱动程序的回调函数的守护,本公开对此不作限制。It should be noted that when the third thread guards the callback function of the driver program and the first thread, it can first execute the guard of the callback function of the driver, and then execute the guard of the first thread; The guard of the thread is then executed to guard the callback function of the driver, which is not limited in this disclosure.

在一种可能的实现方式中,驱动程序的回调函数信息可包括驱动程序的所有回调函数的地址、长度及哈希值;所述第三线程根据所述关键信息中的回调函数信息,对所述驱动程序的回调函数进行守护,包括:对于驱动程序中的任一回调函数,所述第三线程根据所述回调函数信息中所述回调函数的地址及长度,计算所述回调函数的哈希值;在所述回调函数的哈希值与参考哈希值不同的情况下,所述第二线程根据驱动映像、所述回调函数表信息中所述回调函数的地址及长度,对所述回调函数的代码进行修复,所述参考哈希值为所述回调函数信息中所述回调函数的哈希值。In a possible implementation manner, the callback function information of the driver may include addresses, lengths, and hash values of all callback functions of the driver; The callback function of the driver is guarded, including: for any callback function in the driver, the third thread calculates the hash of the callback function according to the address and length of the callback function in the callback function information value; in the case where the hash value of the callback function is different from the reference hash value, the second thread executes the callback function according to the driver image and the address and length of the callback function in the callback function table information. The code of the function is repaired, and the reference hash value is the hash value of the callback function in the callback function information.

在一种可能的实现方式中,驱动程序可包括多个回调函数,第三线程可对驱动程序中的所有回调函数进行守护。对于驱动程序的任一回调函数,第三线程对所述回调函数进行守护时,可首先根据回调函数信息中所述回调函数的地址及长度,计算所述回调函数的哈希值。具体可例如:第三线程可根据回调函数表信息中所述回调函数的地址及长度,确定所述回调函数的代码所在的第五区域,然后通过预设的哈希算法,计算第五区域中的代码的哈希值,并将该哈希值确定为所述回调函数的哈希值。In a possible implementation manner, the driver program may include multiple callback functions, and the third thread may guard all the callback functions in the driver program. For any callback function of the driver, when the third thread guards the callback function, it may first calculate the hash value of the callback function according to the address and length of the callback function in the callback function information. Specifically, for example: the third thread can determine the fifth area where the code of the callback function is located according to the address and length of the callback function in the callback function table information, and then calculate the code in the fifth area through a preset hash algorithm. and determine the hash value as the hash value of the callback function.

然后可判断计算得到所述回调函数的哈希值与参考哈希值(回调函数信息中所述回调函数的哈希值)是否相同,在计算得到回调函数的哈希值与参考哈希值相同的情况下,可认为所述回调函数未被劫持。Then it can be judged whether the calculated hash value of the callback function is the same as the reference hash value (the hash value of the callback function in the callback function information), and the calculated hash value of the callback function is the same as the reference hash value In the case of , it can be considered that the callback function has not been hijacked.

在计算得到回调函数的哈希值与参考哈希值不同的情况下,可认为所述回调函数被劫持,需对所述回调函数的代码进行修复。该情况下,第三线程可根据驱动映像、回调函数表信息中所述回调函数的地址及长度,对所述回调函数的代码进行修复。具体可例如:第三线程可根据回调函数表信息中所述回调函数的地址及长度,从驱动映像中重新获取所述回调函数的代码,然后根据重新获取的代码,对所述回调函数的代码进行修复。If the calculated hash value of the callback function is different from the reference hash value, it can be considered that the callback function has been hijacked, and the code of the callback function needs to be repaired. In this case, the third thread may repair the code of the callback function according to the driver image and the address and length of the callback function in the callback function table information. Specifically, for example: the third thread can reacquire the code of the callback function from the drive image according to the address and length of the callback function in the callback function table information, and then re-acquire the code of the callback function according to the reacquired code Make repairs.

通过这种方式,第三进程能够对驱动程序的所有回调函数进行守护,进而提高驱动程序的安全性。In this way, the third process can guard all the callback functions of the driver, thereby improving the safety of the driver.

在一种可能的实现方式中,所述第三线程根据所述第一线程信息,对所述第一线程进行守护,可包括:所述第三线程根据所述第一线程信息中的地址及长度,计算所述第一代码的哈希值;在所述第一代码的哈希值与所述第一线程信息中的哈希值相同的情况下,所述第三线程检查所述第一线程是否退出;在所述第一线程未退出的情况下,所述第三线程休眠预设时长后,开始执行下一次守护。In a possible implementation manner, the third thread guarding the first thread according to the first thread information may include: the third thread according to the address and length, calculating the hash value of the first code; in the case that the hash value of the first code is the same as the hash value in the information of the first thread, the third thread checks the first Whether the thread exits; in the case that the first thread does not exit, the third thread starts to execute the next guard after the preset period of dormancy.

在一种可能的实现方式中,第三线程根据第一线程信息,对第一线程进行守护时,可首先根据第一线程信息中的地址及长度,计算第一代码的哈希值。具体可例如:第三线程可根据第一线程信息中的地址及长度(即第一代码的地址及长度),确定第一代码所在的第六区域,然后通过预设的哈希算法,计算第六区域中的第一代码的哈希值。In a possible implementation manner, when the third thread guards the first thread according to the first thread information, it may first calculate the hash value of the first code according to the address and length in the first thread information. Specifically, for example: the third thread can determine the sixth area where the first code is located according to the address and length in the first thread information (that is, the address and length of the first code), and then calculate the sixth area through a preset hash algorithm. A hash value of the first code in the six regions.

然后可判断计算得到的第一代码的哈希值与第一线程信息中的哈希值(原始的第一代码的哈希值)是否相同,在计算得到的第一代码的哈希值与第一线程信息中的哈希值相同的情况下,第三线程认为第一线程未被劫持,可检查第一线程是否退出;在第一线程未退出的情况下,第三线程完成本次守护,休眠(sleep)预设时长(例如15ms、20ms等)后,开始执行下一次守护,即第三线程重新执行对驱动程序的回调函数及第一线程的守护。Then it can be judged whether the calculated hash value of the first code is the same as the hash value in the first thread information (the original hash value of the first code). If the hash values in the information of one thread are the same, the third thread thinks that the first thread has not been hijacked, and can check whether the first thread has exited; if the first thread has not exited, the third thread completes the guarding. After sleeping for a preset period of time (for example, 15ms, 20ms, etc.), the next guard is executed, that is, the third thread re-executes the callback function of the driver and the guard of the first thread.

其中,预设时长的具体取值还可以为其他,例如10ms、25ms等。本领域技术人员可根据实际情况对预设时长的具体取值进行设置,本公开对此不作限制。Wherein, the specific value of the preset duration can also be other, such as 10ms, 25ms and so on. Those skilled in the art can set the specific value of the preset duration according to the actual situation, which is not limited in the present disclosure.

本实施例中,第三线程能够通过检查第一线程是否被劫持、第一线程是否退出,来实现对第一线程的守护,以便在第一线程被劫持或第一线程退出的情况下,对第一线程进行快速恢复。In this embodiment, the third thread can realize the guarding of the first thread by checking whether the first thread is hijacked and whether the first thread exits, so that when the first thread is hijacked or the first thread exits, The first thread does fast recovery.

在一种可能的实现方式中,在计算得到的第一代码的哈希值与第一线程信息中的哈希值不同的情况下,可认为第一线程被劫持(例如被挂钩子或被打补丁),需对第一线程对应的第一代码进行修复,该情况下,第三线程可根据驱动映像、第一线程信息中的地址及长度,对第一代码进行修复。具体可例如:第三线程可根据第一线程信息中的地址及长度,从驱动映像中重新获取第一代码,并使用重新获取的第一代码,对第一线程对应的第一代码进行修复。通过这种方式,能够对被劫持的第一线程进行快速修复。In a possible implementation, if the calculated hash value of the first code is different from the hash value in the information of the first thread, it may be considered that the first thread is hijacked (for example, hooked or beaten) Patch), the first code corresponding to the first thread needs to be repaired. In this case, the third thread can repair the first code according to the drive image, the address and the length in the information of the first thread. Specifically, for example: the third thread may reacquire the first code from the driver image according to the address and length in the information of the first thread, and use the reacquired first code to repair the first code corresponding to the first thread. In this way, a quick fix can be made to the hijacked first thread.

在一种可能的实现方式中,在第一线程退出的情况下,第三线程重新启动第一线程。第一线程启动成功后,第三线程完成本次守护,休眠(sleep)预设时长(例如15ms、20ms等)后,开始执行下一次守护。通过这种方式,能够对已退出的第一线程进行快速恢复。In a possible implementation manner, when the first thread exits, the third thread restarts the first thread. After the first thread starts successfully, the third thread completes this guard, sleeps for a preset duration (such as 15ms, 20ms, etc.), and then starts to execute the next guard. In this way, the first thread that has exited can be quickly resumed.

需要说明的是,在上述对第一代码、驱动程序的回调函数的代码进行修复的过程中,可对内存总线上锁(lock),以防止修复过程中有其他并发操作(例如处理器取指等操作),导致电子设备出现异常(例如死机或蓝屏等),在修复完成后,内存总线的锁会自动解除。It should be noted that, in the process of repairing the first code and the code of the callback function of the driver, the memory bus can be locked (lock) to prevent other concurrent operations (such as processor instruction fetching) etc.), causing abnormalities in electronic equipment (such as crash or blue screen, etc.), after the repair is completed, the lock of the memory bus will be automatically released.

在一种可能的实现方式中,第三线程可记录回调函数修复次数、第一线程修复次数、第一线程重启次数。例如,第三线程对驱动程序的一个回调函数的代码进行修复后,可将回调函数修复次数加1;第三线程对第一线程对应的第一代码进行修复后,可将第一线程修复次数加1;第三线程重新启动第一线程后,可将第一线程重启次数加1。In a possible implementation manner, the third thread may record the number of repairs of the callback function, the number of repairs of the first thread, and the number of restarts of the first thread. For example, after the third thread repairs the code of a callback function of the driver, the number of repairs of the callback function can be increased by 1; after the third thread repairs the first code corresponding to the first thread, the number of repairs of the first thread can be Add 1; after the third thread restarts the first thread, the restart times of the first thread can be increased by 1.

通过记录回调函数修复次数、第一线程修复次数、第一线程重启次数,可便于后续对驱动程序运行过程中的回调函数的情况、以及第一线程的运行情况进行分析,以发现驱动程序防护过程中的薄弱环节。By recording the number of repairs of the callback function, the number of repairs of the first thread, and the number of restarts of the first thread, it is convenient for subsequent analysis of the callback function during the running of the driver and the running of the first thread to discover the driver protection process weak link in .

图5示出根据本公开一实施例的第三线程守护过程的示意图。在本实施例中,第一线程信息及驱动程序的关键信息存储在预设的存储区域中。第三线程在守护过程中,先执行对驱动程序的回调函数的守护,再执行对第一线程的守护。Fig. 5 shows a schematic diagram of a third thread daemon process according to an embodiment of the present disclosure. In this embodiment, the first thread information and the key information of the driver are stored in a preset storage area. During the guarding process, the third thread first executes the guarding of the callback function of the driver, and then executes the guarding of the first thread.

如图5所示,第三线程对驱动程序的回调函数及第一线程进行守护的过程,可包括以下步骤:As shown in Figure 5, the process that the third thread guards the callback function of the driver program and the first thread may include the following steps:

步骤S501,从预设的存储区域获取第一线程信息、关键信息中的回调函数信息;Step S501, obtaining callback function information in first thread information and key information from a preset storage area;

步骤S502,根据回调函数信息中各个回调函数的地址及长度,计算驱动程序的各个回调函数的哈希值;Step S502, according to the address and length of each callback function in the callback function information, calculate the hash value of each callback function of the driver;

步骤S503,判断驱动程序的各个回调函数的哈希值与其参考哈希值是否相同;Step S503, judging whether the hash value of each callback function of the driver program is the same as the reference hash value;

在驱动程序的各个回调函数的哈希值均与其参考哈希值相同的情况下,执行步骤S504:根据第一线程信息中的地址及长度,计算第一代码的哈希值;In the case that the hash values of each callback function of the driver are the same as their reference hash values, step S504 is performed: calculating the hash value of the first code according to the address and length in the first thread information;

步骤S505,判断计算得到的第一代码的哈希值与第一线程信息中的哈希值是否相同;Step S505, judging whether the calculated hash value of the first code is the same as the hash value in the first thread information;

在计算得到的第一代码的哈希值与第一线程信息中的哈希值相同的情况下,执行步骤S506,检查第一线程是否退出;In the case that the calculated hash value of the first code is the same as the hash value in the first thread information, perform step S506 to check whether the first thread exits;

在第一线程未退出的情况下,执行步骤S507,休眠预设时长;然后执行下一次守护,从步骤S501开始重启执行。In the case that the first thread has not exited, execute step S507, sleep for a preset duration; then execute the next guard, and restart execution from step S501.

在驱动程序的各个回调函数中存在哈希值与参考哈希值不同的回调函数的情况下,执行步骤S508,对哈希值与参考哈希值不同的回调函数的代码进行修复;然后执行步骤S504。In each callback function of the driver program, when there is a callback function having a different hash value and the reference hash value, step S508 is performed to repair the code of the callback function whose hash value is different from the reference hash value; then perform the steps S504.

在计算得到的第一代码的哈希值与第一线程信息中的哈希值不同的情况下,执行步骤S509,根据驱动映像、第一线程信息中的地址及长度,对第一代码进行修复;然后执行步骤S506。If the calculated hash value of the first code is different from the hash value in the first thread information, perform step S509 to repair the first code according to the drive image and the address and length in the first thread information ; Then execute step S506.

在第一线程退出的情况下,执行步骤S510,重新启动第一线程;然后执行步骤S507。In the case that the first thread exits, execute step S510 to restart the first thread; then execute step S507.

在一种可能的实现方式中,所述方法还包括:所述驱动程序的中断服务对所述第一线程进行守护。In a possible implementation manner, the method further includes: the interrupt service of the driver program guards the first thread.

其中,驱动程序的中断服务可用于响应于处理器的调用,执行硬件设备相关的中断处理。例如,硬件设备向处理器发送中断请求,处理器接收到中断请求后,进行中断判优及中断响应,然后调用硬件设备的驱动程序中的中断服务来进行中断处理。Wherein, the interrupt service of the driver can be used to respond to the call of the processor, and execute the interrupt processing related to the hardware device. For example, the hardware device sends an interrupt request to the processor, and after receiving the interrupt request, the processor performs interrupt arbitration and interrupt response, and then calls the interrupt service in the driver program of the hardware device to perform interrupt processing.

在驱动程序防护过程中,通过中断服务对第一线程进行守护,能够提高防护效果。例如,在由第一线程、第二线程、第三线程构成的环形守护失效的情况下,可通过中断服务对第一线程的守护,恢复第一线程,进而恢复由第一线程、第二线程、第三线程构成的环形守护。During the driver protection process, the protection effect can be improved by guarding the first thread through the interrupt service. For example, in the case of failure of the ring guard formed by the first thread, the second thread, and the third thread, the first thread can be restored by interrupting the service to the guard of the first thread, and then restored by the first thread, the second thread, etc. , The ring guard formed by the third thread.

在一种可能的实现方式中,驱动程序的中断服务对第一线程进行守护的时机可根据实际情况进行设置,本公开对此不作限制。在一个示例中,驱动程序的中断服务可在处理硬件设备触发的每个中断时,均执行对第一线程的守护。在另一个示例中,可在硬件设备中设置特殊的中断,来用于通知中断服务对第一线程进行守护。In a possible implementation manner, the timing for the driver's interrupt service to guard the first thread may be set according to actual conditions, which is not limited in the present disclosure. In one example, the driver's interrupt service may execute a daemon for the first thread while handling each interrupt triggered by the hardware device. In another example, a special interrupt can be set in the hardware device to notify the interrupt service to guard the first thread.

在一种可能的实现方式中,所述驱动程序的中断服务对所述第一线程进行守护,包括:在所述驱动程序的中断服务执行中断处理之前,所述中断服务根据所述第一线程信息中的地址及长度,计算所述第一代码的哈希值;在所述第一代码的哈希值与所述第一线程信息中的哈希值相同的情况下,所述中断服务检查所述第一线程是否退出;在所述第一线程未退出的情况下,所述中断服务执行所述中断处理。In a possible implementation manner, the interrupt service of the driver program guarding the first thread includes: before the interrupt service of the driver program performs interrupt processing, the interrupt service according to the first thread Address and length in the information, calculate the hash value of the first code; in the case that the hash value of the first code is the same as the hash value in the first thread information, the interrupt service check Whether the first thread exits; if the first thread does not exit, the interrupt service executes the interrupt processing.

在一种可能的实现方式中,在驱动程序的中断服务接收到中断处理,在执行中断处理之前,驱动程序的中断服务可根据第一线程信息中的地址及长度,计算所述第一代码的哈希值。具体可例如:中断服务可根据第一线程信息中的地址及长度(即第一代码的地址及长度),确定第一代码所在的第六区域,然后通过预设的哈希算法,计算第六区域中的第一代码的哈希值。In a possible implementation, after the interrupt service of the driver program receives the interrupt processing, before executing the interrupt processing, the interrupt service of the driver program can calculate the address and length of the first code according to the address and length in the first thread information. hash value. Specifically, for example: the interrupt service can determine the sixth area where the first code is located according to the address and length in the first thread information (that is, the address and length of the first code), and then calculate the sixth area through the preset hash algorithm. The hash value of the first code in the zone.

然后可判断计算得到的第一代码的哈希值与第一线程信息中的哈希值(原始的第一代码的哈希值)是否相同,在计算得到的第一代码的哈希值与第一线程信息中的哈希值相同的情况下,中断服务认为第一线程未被劫持,可检查第一线程是否退出;在第一线程未退出的情况下,中断服务可执行中断处理。Then it can be judged whether the calculated hash value of the first code is the same as the hash value in the first thread information (the original hash value of the first code). When the hash values in the information of one thread are the same, the interrupt service considers that the first thread has not been hijacked, and can check whether the first thread exits; if the first thread has not exited, the interrupt service can perform interrupt processing.

本实施例中,中断服务能够在执行中断处理之前,通过检查第一线程是否被劫持、第一线程是否退出,来实现对第一线程的守护,以便在第一线程被劫持或第一线程退出的情况下,对第一线程进行快速恢复;并在执行完对第一线程的守护后,执行中断处理,从而能够将中断服务对第一线程的守护及对中断处理的执行进行有效结合,进而提高防护效果。In this embodiment, the interrupt service can realize the guarding of the first thread by checking whether the first thread is hijacked and whether the first thread exits before executing the interrupt processing, so that when the first thread is hijacked or the first thread exits In the case of the first thread, the first thread is quickly restored; and after the execution of the guard to the first thread, the interrupt process is executed, so that the interrupt service can effectively combine the guard of the first thread with the execution of the interrupt process, and then Improve the protective effect.

在一种可能的实现方式中,在计算得到的第一代码的哈希值与第一线程信息中的哈希值不同的情况下,可认为第一线程被劫持(例如被挂钩子或被打补丁),需对第一线程对应的第一代码进行修复,该情况下,中断服务可根据驱动映像、第一线程信息中的地址及长度,对第一代码进行修复。具体可例如:中断服务可根据第一线程信息中的地址及长度,从驱动映像中重新获取第一代码,并使用重新获取的第一代码,对第一线程对应的第一代码进行修复。通过这种方式,能够对被劫持的第一线程进行快速修复。In a possible implementation, if the calculated hash value of the first code is different from the hash value in the information of the first thread, it may be considered that the first thread is hijacked (for example, hooked or beaten) Patch), the first code corresponding to the first thread needs to be repaired. In this case, the interrupt service can repair the first code according to the driver image and the address and length in the first thread information. Specifically, for example: the interrupt service may reacquire the first code from the driver image according to the address and length in the first thread information, and use the reacquired first code to repair the first code corresponding to the first thread. In this way, a quick fix can be made to the hijacked first thread.

在一种可能的实现方式中,在第一线程退出的情况下,中断服务重新启动第一线程。第一线程启动成功后,中断服务完成本次守护,然后去执行中断处理。In a possible implementation manner, when the first thread exits, the interrupt service restarts the first thread. After the first thread starts successfully, the interrupt service completes the guarding, and then executes the interrupt processing.

需要说明的是,在上述对第一代码进行修复的过程中,可对内存总线上锁(lock),以防止修复过程中有其他并发操作(例如处理器取指等操作),导致电子设备出现异常(例如死机或蓝屏等),在修复完成后,内存总线的锁会自动解除。It should be noted that, in the above-mentioned process of repairing the first code, the memory bus can be locked (lock) to prevent other concurrent operations (such as operations such as processor instruction fetching) during the repair process, resulting in failure of the electronic device. Abnormal (such as crash or blue screen, etc.), after the repair is completed, the lock of the memory bus will be automatically released.

在一种可能的实现方式中,中断服务可更新第一线程修复次数、第一线程重启次数。例如,中断服务对第一线程对应的第一代码进行修复后,可将第一线程修复次数加1;中断服务重新启动第一线程后,可将第一线程重启次数加1。通过更新第一线程修复次数、第一线程重启次数,可便于后续对第一线程的运行情况进行分析,以发现驱动程序防护过程中的薄弱环节。In a possible implementation manner, the interrupt service may update the number of repairs of the first thread and the number of restarts of the first thread. For example, after the interrupt service repairs the first code corresponding to the first thread, the repair count of the first thread can be increased by 1; after the interrupt service restarts the first thread, the restart count of the first thread can be increased by 1. By updating the number of repairs of the first thread and the number of restarts of the first thread, the subsequent analysis of the operation of the first thread can be facilitated, so as to find weak links in the driver protection process.

图6示出根据本公开一实施例的中断服务守护过程的示意图。在本实施例中,第一线程信息存储在预设的存储区域中。FIG. 6 shows a schematic diagram of an interrupt service daemon process according to an embodiment of the present disclosure. In this embodiment, the first thread information is stored in a preset storage area.

如图6所示,中断服务对第一线程进行守护的过程,可包括以下步骤:As shown in Figure 6, the process of interrupt service guarding the first thread may include the following steps:

步骤S601,驱动程序的中断服务接收到中断处理;Step S601, the interrupt service of the driver program receives the interrupt processing;

步骤S602,中断服务在执行中断处理之前,从预设的存储区域获取第一线程信息;Step S602, the interrupt service obtains the first thread information from a preset storage area before executing the interrupt processing;

步骤S603:根据第一线程信息中的地址及长度,计算第一代码的哈希值;Step S603: Calculate the hash value of the first code according to the address and length in the first thread information;

步骤S604,判断计算得到的第一代码的哈希值与第一线程信息中的哈希值是否相同;Step S604, judging whether the calculated hash value of the first code is the same as the hash value in the first thread information;

在计算得到的第一代码的哈希值与第一线程信息中的哈希值相同的情况下,执行步骤S605,检查第一线程是否退出;In the case that the calculated hash value of the first code is the same as the hash value in the first thread information, perform step S605 to check whether the first thread exits;

在第一线程未退出的情况下,执行步骤S606,执行中断处理。If the first thread has not exited, step S606 is executed to execute interrupt processing.

在计算得到的第一代码的哈希值与第一线程信息中的哈希值不同的情况下,执行步骤S607,根据驱动映像、第一线程信息中的地址及长度,对第一代码进行修复;然后执行步骤S605。If the calculated hash value of the first code is different from the hash value in the first thread information, perform step S607, and repair the first code according to the driver image and the address and length in the first thread information ; Then execute step S605.

在第一线程退出的情况下,执行步骤S608,重新启动第一线程;然后执行步骤S606。In the case that the first thread exits, execute step S608 to restart the first thread; then execute step S606.

在一种可能的实现方式中,所述方法还包括:所述硬件设备的固件对所述中断服务进行守护。In a possible implementation manner, the method further includes: firmware of the hardware device guards the interrupt service.

在驱动程序防护过程中,通过硬件设备的固件对中断服务进行守护,能够进一步提高防护效果。例如,在中断服务被劫持的情况下,可通过硬件设备的固件对中断服务的守护,恢复中断服务,进而通过中断服务对第一进程的守护,恢复第一进程,再进一步恢复由第一线程、第二线程、第三线程构成的环形守护,即恢复第一线程对第二线程、第二线程对第三线程和驱动程序、及第三线程对第一线程和驱动程序进行的守护。During the driver protection process, the interrupt service is guarded by the firmware of the hardware device, which can further improve the protection effect. For example, when the interrupt service is hijacked, the interrupt service can be restored by the firmware of the hardware device to the interrupt service, and then the first process can be restored by the interrupt service to the first process, and then further restored by the first thread. , the second thread, the ring protection that the 3rd thread constitutes, promptly recover the protection that the 1st thread carries out to the 2nd thread, the 2nd thread to the 3rd thread and the driver program, and the 3rd thread to the first thread and the driver program.

在一种可能的实现方式中,驱动程序的关键信息还包括所述中断服务对应的中断处理函数信息,所述中断处理函数信息包括所述中断服务对应的中断处理函数的地址、长度及哈希值;In a possible implementation manner, the key information of the driver further includes the interrupt processing function information corresponding to the interrupt service, and the interrupt processing function information includes the address, length and hash of the interrupt processing function corresponding to the interrupt service value;

所述硬件设备的固件对所述中断服务进行守护,包括:所述固件根据所述中断处理函数信息中的地址及长度,计算所述中断处理函数的哈希值;在所述中断处理函数的哈希值与所述中断处理函数信息中的哈希值相同的情况下,所述固件休眠预设时长后,重新从下述步骤开始执行:所述固件根据所述中断处理函数信息中的地址及长度,计算所述中断处理函数的哈希值。The firmware of the hardware device guards the interrupt service, including: the firmware calculates the hash value of the interrupt processing function according to the address and length in the interrupt processing function information; In the case where the hash value is the same as the hash value in the interrupt handler information, after the firmware sleeps for a preset period of time, it restarts execution from the following steps: the firmware executes according to the address in the interrupt handler information and the length, and calculate the hash value of the interrupt handling function.

在一种可能的实现方式中,硬件设备的固件对中断服务进行守护时,可根据中断处理函数信息中的地址及长度,计算中断处理函数的哈希值。具体可例如:固件可根据中断处理函数信息中的地址及长度,确定中断处理函数的代码所在的第七区域,然后通过预设的哈希算法,计算第七区域中的代码的哈希值,并将该哈希值确定为中断处理函数的哈希值。由于中断处理函数的代码位于系统内存中,固件在计算计算第七区域中的代码的哈希值之前,需进行地址转换,即将处理器端的地址转换为硬件设备段的地址。In a possible implementation manner, when the firmware of the hardware device guards the interrupt service, it may calculate the hash value of the interrupt processing function according to the address and length in the interrupt processing function information. Specifically, for example: the firmware can determine the seventh area where the code of the interrupt processing function is located according to the address and length in the interrupt processing function information, and then calculate the hash value of the code in the seventh area through a preset hash algorithm, And determine the hash value as the hash value of the interrupt processing function. Because the code of the interrupt processing function is located in the system memory, before the firmware calculates the hash value of the code in the seventh area, it needs to perform address conversion, that is, convert the address of the processor side into the address of the hardware device segment.

然后可判断计算得到的中断处理函数的哈希值与中断处理函数信息中的哈希值是否相同,在计算得到的中断处理函数的哈希值与中断处理函数信息中的哈希值相同的情况下,固件可认为中断服务未被劫持,固件休眠预设时长后,开始执行下一轮守护,即从步骤“所述固件根据所述中断处理函数信息中的地址及长度,计算所述中断处理函数的哈希值”开始重新执行。Then it can be judged whether the calculated hash value of the interrupt handling function is the same as the hash value in the interrupt handling function information, and if the calculated hash value of the interrupt handling function is the same as the hash value in the interrupt handling function information Next, the firmware can consider that the interrupt service has not been hijacked, and after the firmware sleeps for a preset period of time, it will start to execute the next round of guarding, that is, from the step "the firmware calculates the interrupt processing function according to the address and length in the interrupt processing function information. Hash value of the function" to start re-execution.

在一种可能的实现方式中,在计算得到的中断处理函数的哈希值与中断处理函数信息中的哈希值不同的情况下,固件可认为中断服务被劫持(例如被挂钩子或被打补丁)。该情况下,固件可控制硬件设备停止发送中断请求,以停止中断服务,然后根据驱动映像、中断处理函数信息中的地址及长度,对中断处理函数进行修复,具体可例如:固件可根据中断处理函数信息中的地址及长度,从驱动映像中重新获取中断处理函数的代码,然后根据重新获取的代码,对中断处理函数的代码进行修复。In a possible implementation, if the calculated hash value of the interrupt handling function is different from the hash value in the interrupt handling function information, the firmware may consider that the interrupt service is hijacked (for example, hooked or opened) patch). In this case, the firmware can control the hardware device to stop sending interrupt requests to stop the interrupt service, and then repair the interrupt processing function according to the address and length in the driver image and interrupt processing function information. For example, the firmware can handle the interrupt according to According to the address and length in the function information, the code of the interrupt processing function is reacquired from the driver image, and then the code of the interrupt processing function is repaired according to the reacquired code.

在修复完成后,固件可控制硬件设备恢复中断请求的发送,以恢复中断服务。中断服务恢复后,可通过中断服务对第一线程的守护,恢复第一线程,进而恢复第一线程对第二线程、第二线程对第三线程和驱动程序、及第三线程对第一线程和驱动程序进行的守护。After the repair is completed, the firmware can control the sending of the hardware device resume interrupt request to resume the interrupt service. After the interrupt service is resumed, the first thread can be restored through the interrupt service to guard the first thread, and then the first thread can be restored to the second thread, the second thread to the third thread and the driver, and the third thread to the first thread. and driver protection.

通过这种方式,硬件设备的固件能够对驱动程序的中断服务进行修复,从而提高驱动程序的安全性。In this way, the firmware of the hardware device can repair the interrupted service of the driver, thereby improving the security of the driver.

图7示出根据本公开一实施例的固件守护过程的示意图。在本实施例中,驱动程序的关键信息中的中断处理函数信息存储在预设的存储区域中。FIG. 7 shows a schematic diagram of a firmware daemon process according to an embodiment of the present disclosure. In this embodiment, the interrupt processing function information in the key information of the driver is stored in a preset storage area.

如图7所示,固件对中断服务进行守护的过程,可包括以下步骤:As shown in Figure 7, the process of the firmware guarding the interrupt service may include the following steps:

步骤S701,从预设的存储区域获取中断处理函数信息;Step S701, obtaining interrupt processing function information from a preset storage area;

步骤S702,根据中断处理函数信息中的地址及长度,计算中断处理函数的哈希值;Step S702, calculating the hash value of the interrupt processing function according to the address and length in the interrupt processing function information;

步骤S703,判断计算得到的中断处理函数的哈希值与中断处理函数信息中的哈希值是否相同;Step S703, judging whether the calculated hash value of the interrupt handling function is the same as the hash value in the interrupt handling function information;

在计算得到的中断处理函数的哈希值与中断处理函数信息中的哈希值相同的情况下,执行步骤S704,休眠预设时长;然后执行下一次守护,从步骤S701开始重启执行。In the case that the calculated hash value of the interrupt handling function is the same as the hash value in the interrupt handling function information, execute step S704, sleep for a preset duration; then execute the next guard, and restart execution from step S701.

在计算得到的中断处理函数的哈希值与中断处理函数信息中的哈希值不同的情况下,可执行下述步骤:In the case where the calculated hash value of the interrupt handler is different from the hash value in the interrupt handler information, the following steps can be performed:

步骤S705,控制硬件设备停止发送中断请求,以停止中断服务;Step S705, controlling the hardware device to stop sending the interrupt request, so as to stop the interrupt service;

步骤S706,根据驱动映像、中断处理函数信息中的地址及长度,对中断处理函数进行修复;Step S706, according to the drive image, the address and length in the interrupt processing function information, the interrupt processing function is repaired;

步骤S707,在修复完成后,控制硬件设备恢复中断请求的发送,以恢复中断服务;Step S707, after the repair is completed, control the hardware device to resume sending the interrupt request, so as to restore the interrupt service;

步骤S704,休眠预设时长;然后执行下一次守护,从步骤S701开始重启执行。Step S704, dormancy for a preset duration; then execute the next guard, and restart execution from step S701.

图8示出根据本公开一实施例的驱动程序防护方法的示意图。如图8所示,第一线程210对第二线程220进行守护,第二线程220对第三线程230及驱动程序240的派遣函数表241、回调函数表242进行守护,第三线程230对第一线程210及驱动程序240的回调函数243进行守护,硬件设备的中断服务250对第一线程210进行守护,硬件设备的固件260对中断服务250进行守护。Fig. 8 shows a schematic diagram of a driver protection method according to an embodiment of the present disclosure. As shown in Figure 8, the first thread 210 guards the second thread 220, the second thread 220 guards the dispatch function table 241 and the callback function table 242 of the third thread 230 and the driver 240, and the third thread 230 guards the third thread 230 and the dispatch function table 241 of the driver 240. A thread 210 and the callback function 243 of the driver 240 are guarded, the interrupt service 250 of the hardware device is guarded for the first thread 210 , and the firmware 260 of the hardware device is guarded for the interrupt service 250 .

通过这种方式,能够对硬件设备的驱动程序240进行全方位立体式的防护,最大限度地降低驱动程序被劫持的可能性,从而提高驱动程序的安全性,进而能够保护用户数据,提升用户体验。In this way, the driver 240 of the hardware device can be protected in an all-round and three-dimensional manner, and the possibility of the driver being hijacked can be reduced to the greatest extent, thereby improving the security of the driver, thereby protecting user data and improving user experience .

需要说明的是,尽管以上述实施例作为示例介绍了驱动程序防护方法如上,但本领域技术人员能够理解,本公开应不限于此。事实上,用户完全可根据个人喜好和/或实际应用场景灵活设定各步骤,只要符合本公开的技术方案即可。It should be noted that although the above embodiment is used as an example to describe the driver protection method, those skilled in the art can understand that the present disclosure should not be limited thereto. In fact, the user can flexibly set each step according to personal preferences and/or actual application scenarios, as long as it conforms to the technical solution of the present disclosure.

图9示出根据本公开一实施例的驱动程序防护装置的框图。如图9所示,所述驱动程序防护装置,包括:FIG. 9 shows a block diagram of a driver guard according to an embodiment of the present disclosure. As shown in Figure 9, the driver protection device includes:

第一信息确定模块91,用于在硬件设备的驱动程序载入内存后,确定所述驱动程序的关键信息,所述关键信息包括所述驱动程序的回调函数表信息、回调函数信息及派遣函数表信息中的至少一种;The first information determination module 91 is used to determine the key information of the driver after the driver of the hardware device is loaded into the memory, and the key information includes the callback function table information, callback function information and dispatch function of the driver At least one of the table information;

第二信息确定模块92,用于确定第一线程信息、第二线程信息及第三线程信息,所述第一线程信息包括第一线程对应的第一代码的地址、长度及哈希值,所述第二线程信息包括第二线程对应的第二代码的地址、长度及哈希值,所述第三线程信息包括第三线程对应的第三代码的地址、长度及哈希值;The second information determination module 92 is configured to determine the first thread information, the second thread information and the third thread information, the first thread information includes the address, length and hash value of the first code corresponding to the first thread, so The second thread information includes the address, length and hash value of the second code corresponding to the second thread, and the third thread information includes the address, length and hash value of the third code corresponding to the third thread;

线程启动模块93,用于启动所述第一线程、所述第二线程及所述第三线程;A thread starting module 93, configured to start the first thread, the second thread and the third thread;

第一守护模块94,根据所述关键信息、所述第一线程信息、所述第二线程信息及所述第三线程信息,所述第一线程对所述第二线程、所述第二线程对所述第三线程和所述驱动程序、及所述第三线程对所述第一线程和所述驱动程序进行守护。The first guarding module 94, according to the key information, the first thread information, the second thread information and the third thread information, the first thread is responsible for the second thread, the second thread Daemonizing the third thread and the driver, and the third thread daemonizing the first thread and the driver.

在一种可能的实现方式中,所述第一守护模块94,包括:第一守护子模块,所述第一线程根据所述第二线程信息,对所述第二线程进行守护;第二守护子模块,所述第二线程根据所述关键信息及所述第三线程信息,对所述驱动程序的回调函数表、派遣函数表及所述第三线程进行守护;第三守护子模块,所述第三线程根据所述关键信息及所述第一线程信息,对所述驱动程序的回调函数及所述第一线程进行守护。In a possible implementation manner, the first guard module 94 includes: a first guard submodule, the first thread guards the second thread according to the second thread information; the second guard In the submodule, the second thread guards the callback function table, the dispatch function table and the third thread of the driver according to the key information and the third thread information; the third guard submodule, the The third thread guards the callback function of the driver and the first thread according to the key information and the first thread information.

在一种可能的实现方式中,所述第一守护子模块,用于:所述第一线程根据所述第二线程信息中的地址及长度,计算所述第二代码的哈希值;在所述第二代码的哈希值与所述第二线程信息中的哈希值相同的情况下,所述第一线程检查所述第二线程是否退出;在所述第二线程未退出的情况下,所述第一线程休眠预设时长后,重新从下述步骤开始执行:所述第一线程根据所述第二线程信息中的地址及长度,计算所述第二代码的哈希值。In a possible implementation manner, the first guard submodule is configured to: the first thread calculates the hash value of the second code according to the address and length in the second thread information; When the hash value of the second code is the same as the hash value in the second thread information, the first thread checks whether the second thread exits; if the second thread does not exit Next, after the first thread sleeps for a preset period of time, it restarts execution from the following steps: the first thread calculates the hash value of the second code according to the address and length in the second thread information.

在一种可能的实现方式中,所述第一守护子模块,还用于:在所述第二代码的哈希值与所述第二线程信息中的哈希值不同的情况下,所述第一线程根据驱动映像、第二线程信息中的地址及长度,对所述第二代码进行修复,所述驱动映像为硬盘上的原始的驱动程序在内存中的备份。In a possible implementation manner, the first guard submodule is further configured to: when the hash value of the second code is different from the hash value in the second thread information, the The first thread repairs the second code according to the driver image, the address and the length in the information of the second thread, and the driver image is the backup of the original driver program on the hard disk in memory.

在一种可能的实现方式中,所述第一守护子模块,还用于:在所述第二线程退出的情况下,所述第一线程重新启动所述第二线程。In a possible implementation manner, the first guard submodule is further configured to: when the second thread exits, the first thread restarts the second thread.

在一种可能的实现方式中,所述第二守护子模块,用于:所述第二线程根据所述关键信息中的回调函数表信息及派遣函数表信息,对所述驱动程序的回调函数表及派遣函数表进行守护;所述第二线程根据所述第三线程信息,对所述第三线程进行守护。In a possible implementation manner, the second guard submodule is configured to: the second thread executes the callback function of the driver according to the callback function table information and the dispatch function table information in the key information. The table and the dispatch function table are guarded; the second thread guards the third thread according to the information of the third thread.

在一种可能的实现方式中,所述回调函数表信息包括所述驱动程序的回调函数表的地址、长度及哈希值,所述派遣函数表信息包括所述驱动程序的派遣函数表的地址、长度及哈希值;所述第二线程根据所述关键信息中的回调函数表信息及派遣函数表信息,对所述驱动程序的回调函数表及派遣函数表进行守护,包括:所述第二线程根据所述回调函数表信息中的地址及长度,计算所述驱动程序的回调函数表的哈希值;在所述驱动程序的回调函数表的哈希值与所述回调函数表信息中的哈希值不同的情况下,所述第二线程根据驱动映像、所述回调函数表信息中的地址及长度,对所述驱动程序的回调函数表进行修复;所述第二线程根据所述派遣函数表信息中的地址及长度,计算所述驱动程序的派遣函数表的哈希值;在所述驱动程序的派遣函数表的哈希值与所述派遣函数表信息中的哈希值不同的情况下,所述第二线程根据驱动映像、所述派遣函数表信息中的地址及长度,对所述驱动程序的派遣函数表进行修复。In a possible implementation manner, the callback function table information includes the address, length and hash value of the driver's callback function table, and the dispatch function table information includes the address of the driver's dispatch function table , length and hash value; the second thread guards the callback function table and dispatch function table of the driver according to the callback function table information and dispatch function table information in the key information, including: the first The second thread calculates the hash value of the callback function table of the driver according to the address and the length in the callback function table information; in the hash value of the callback function table of the driver and the callback function table information In the case of different hash values, the second thread repairs the callback function table of the driver according to the driver image, the address and the length in the callback function table information; the second thread repairs the callback function table according to the Address and length in the dispatch function table information, calculate the hash value of the dispatch function table of the driver; the hash value of the dispatch function table of the driver is different from the hash value in the dispatch function table information In the case of , the second thread repairs the dispatch function table of the driver according to the driver image, the address and the length in the dispatch function table information.

在一种可能的实现方式中,所述第三守护子模块,用于:所述第三线程根据所述关键信息中的回调函数信息,对所述驱动程序的回调函数进行守护;所述第三线程根据所述第一线程信息,对所述第一线程进行守护。In a possible implementation manner, the third guard submodule is configured to: the third thread guards the callback function of the driver according to the callback function information in the key information; The three threads guard the first thread according to the first thread information.

在一种可能的实现方式中,所述回调函数信息包括所述驱动程序的所有回调函数的地址、长度及哈希值;所述第三线程根据所述关键信息中的回调函数信息,对所述驱动程序的回调函数进行守护,包括:对于驱动程序的任一回调函数,所述第三线程根据所述回调函数信息中所述回调函数的地址及长度,计算所述回调函数的哈希值;在所述回调函数的哈希值与参考哈希值不同的情况下,所述第二线程根据驱动映像、所述回调函数表信息中所述回调函数的地址及长度,对所述回调函数的代码进行修复,所述参考哈希值为所述回调函数信息中所述回调函数的哈希值。In a possible implementation manner, the callback function information includes addresses, lengths, and hash values of all callback functions of the driver; the third thread, according to the callback function information in the key information, The callback function of the driver is guarded, including: for any callback function of the driver, the third thread calculates the hash value of the callback function according to the address and length of the callback function in the callback function information ; When the hash value of the callback function is different from the reference hash value, the second thread assigns the callback function to the callback function according to the address and length of the callback function in the driver image and the callback function table information The code is repaired, and the reference hash value is the hash value of the callback function in the callback function information.

在一种可能的实现方式中,所述装置还包括:第二守护模块,所述驱动程序的中断服务对所述第一线程进行守护。In a possible implementation manner, the device further includes: a second guard module, where the interrupt service of the driver program guards the first thread.

在一种可能的实现方式中,所述第二守护模块,包括:第一计算子模块,在所述驱动程序的中断服务执行中断处理之前,所述中断服务根据所述第一线程信息中的地址及长度,计算所述第一代码的哈希值;第一检查子模块,在所述第一代码的哈希值与所述第一线程信息中的哈希值相同的情况下,所述中断服务检查所述第一线程是否退出;执行子模块,在所述第一线程未退出的情况下,所述中断服务执行所述中断处理。In a possible implementation manner, the second guard module includes: a first calculation submodule, before the interrupt service of the driver executes interrupt processing, the interrupt service address and length, calculating the hash value of the first code; the first checking submodule, when the hash value of the first code is the same as the hash value in the first thread information, the The interrupt service checks whether the first thread exits; the submodule is executed, and if the first thread does not exit, the interrupt service executes the interrupt processing.

在一种可能的实现方式中,所述装置还包括:第三守护模块,所述硬件设备的固件对所述中断服务进行守护。In a possible implementation manner, the apparatus further includes: a third guard module, where firmware of the hardware device guards the interrupt service.

在一种可能的实现方式中,所述关键信息还包括所述中断服务对应的中断处理函数信息,所述中断处理函数信息包括所述中断服务对应的中断处理函数的地址、长度及哈希值;所述第三守护模块,包括:第二计算子模块,所述固件根据所述中断处理函数信息中的地址及长度,计算所述中断处理函数的哈希值;休眠子模块,在所述中断处理函数的哈希值与所述中断处理函数信息中的哈希值相同的情况下,所述固件休眠预设时长后,重新从下述步骤开始执行:所述固件根据所述中断处理函数信息中的地址及长度,计算所述中断处理函数的哈希值。In a possible implementation manner, the key information further includes the interrupt processing function information corresponding to the interrupt service, and the interrupt processing function information includes the address, length and hash value of the interrupt processing function corresponding to the interrupt service The third guardian module includes: a second computing submodule, the firmware calculates the hash value of the interrupt processing function according to the address and length in the interrupt processing function information; the dormancy submodule, in the In the case where the hash value of the interrupt processing function is the same as the hash value in the interrupt processing function information, after the firmware sleeps for a preset period of time, it starts to execute again from the following steps: the firmware executes according to the interrupt processing function The address and length in the information are used to calculate the hash value of the interrupt processing function.

在一种可能的实现方式中,所述第三守护模块,包括:中断服务停止子模块,在所述中断处理函数的哈希值与所述中断处理函数信息中的哈希值不同的情况下,所述固件控制所述硬件设备停止发送中断请求,以停止所述中断服务;修复子模块,所述固件根据驱动映像、所述中断处理函数信息中的地址及长度,对所述中断处理函数进行修复;中断服务恢复子模块,在修复完成后,所述固件控制所述硬件设备恢复中断请求的发送,以恢复所述中断服务。In a possible implementation manner, the third guard module includes: an interrupt service stop submodule, and when the hash value of the interrupt processing function is different from the hash value in the interrupt processing function information , the firmware controls the hardware device to stop sending interrupt requests, so as to stop the interrupt service; the repair submodule, the firmware executes the interrupt processing function according to the drive image, the address and the length in the interrupt processing function information Repairing: the interrupt service recovery sub-module, after the repair is completed, the firmware controls the hardware device to resume sending the interrupt request, so as to resume the interrupt service.

在一种可能的实现方式中,所述第一信息确定模块91,包括:第二检查子模块,在所述驱动程序载入内存后,检查所述驱动程序在加载过程中是否被修改;信息确定子模块,在所述驱动程序在加载过程中未被修改的情况下,确定所述驱动程序的关键信息。In a possible implementation manner, the first information determination module 91 includes: a second checking submodule, after the driver is loaded into the memory, checks whether the driver is modified during the loading process; information The submodule is determined, and key information of the driver is determined when the driver is not modified during the loading process.

在一种可能的实现方式中,所述第二检查子模块,用于:在所述驱动程序载入内存后,对所述驱动程序进行校验,所述校验包括哈希校验、证书签名校验中的至少一种;在校验通过的情况下,对所述驱动程序进行对齐及重定位处理;根据驱动映像,判断所述驱动程序在加载过程中是否被修改。In a possible implementation manner, the second checking submodule is configured to: verify the driver after the driver is loaded into the memory, and the verification includes hash verification, certificate At least one of signature verification; if the verification is passed, align and relocate the driver; judge whether the driver is modified during the loading process according to the driver image.

在一种可能的实现方式中,所述根据驱动映像,判断所述驱动程序在加载过程中是否被修改,包括:分别计算所述驱动映像的哈希值及所述驱动程序的哈希值;在所述驱动映像的哈希值与所述驱动程序的哈希值相同的情况下,确定所述驱动程序在加载过程中未被修改。In a possible implementation manner, the determining whether the driver program is modified during the loading process according to the driver image includes: separately calculating a hash value of the driver image and a hash value of the driver program; If the hash value of the driver image is the same as the hash value of the driver, it is determined that the driver has not been modified during the loading process.

在一种可能的实现方式中,所述信息确定子模块,用于:在驱动程序在加载过程中被修改的情况下,根据驱动映像,对所述驱动程序进行修复;在所述驱动程序修复完成后,确定所述驱动程序的关键信息。In a possible implementation manner, the information determination submodule is configured to: repair the driver according to the driver image when the driver is modified during the loading process; Once complete, identify the key information for the driver in question.

在一种可能的实现方式中,所述装置还包括:注册模块,用于确定出所述回调函数信息后,通过自定义的回调注册函数,对所述驱动程序的回调函数进行注册。In a possible implementation manner, the device further includes: a registration module, configured to register the callback function of the driver through a self-defined callback registration function after determining the callback function information.

在一种可能的实现方式中,所述装置还包括:存储模块,用于将所述关键信息、所述第一线程信息、所述第二线程信息及所述第三线程信息,存储至预设的存储区域,所述存储区域为仅允许写入一次的存储区域。In a possible implementation manner, the device further includes: a storage module, configured to store the key information, the first thread information, the second thread information, and the third thread information in a preset A storage area is provided, and the storage area is a storage area that only allows writing once.

在一些实施例中,本公开实施例提供的装置具有的功能或包含的模块可以用于执行上文方法实施例描述的方法,其具体实现可以参照上文方法实施例的描述,为了简洁,这里不再赘述。In some embodiments, the functions or modules included in the device provided by the embodiments of the present disclosure can be used to execute the methods described in the method embodiments above, and its specific implementation can refer to the description of the method embodiments above. For brevity, here No longer.

附图中的流程图和框图显示了根据本公开的多个实施例的系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段或指令的一部分,所述模块、程序段或指令的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个连续的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图和/或流程图中的每个方框、以及框图和/或流程图中的方框的组合,可以用执行规定的功能或动作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in a flowchart or block diagram may represent a module, a portion of a program segment, or an instruction that includes one or more Executable instructions. In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks in succession may, in fact, be executed substantially concurrently, or they may sometimes be executed in the reverse order, depending upon the functionality involved. It should also be noted that each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by a dedicated hardware-based system that performs the specified function or action , or may be implemented by a combination of dedicated hardware and computer instructions.

以上已经描述了本公开的各实施例,上述说明是示例性的,并非穷尽性的,并且也不限于所披露的各实施例。在不偏离所说明的各实施例的范围和精神的情况下,对于本技术领域的普通技术人员来说许多修改和变更都是显而易见的。本文中所用术语的选择,旨在最好地解释各实施例的原理、实际应用或对市场中的技术改进,或者使本技术领域的其它普通技术人员能理解本文披露的各实施例。Having described various embodiments of the present disclosure above, the foregoing description is exemplary, not exhaustive, and is not limited to the disclosed embodiments. Many modifications and alterations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is chosen to best explain the principle of each embodiment, practical application or technical improvement in the market, or to enable other ordinary skilled in the art to understand each embodiment disclosed herein.

Claims (40)

1.一种驱动程序防护方法,其特征在于,所述方法包括:1. A driver protection method, characterized in that the method comprises: 在硬件设备的驱动程序载入内存后,确定所述驱动程序的关键信息,所述关键信息包括所述驱动程序的回调函数表信息、回调函数信息及派遣函数表信息中的至少一种;After the driver of the hardware device is loaded into the memory, determine key information of the driver, the key information including at least one of callback function table information, callback function information, and dispatch function table information of the driver; 确定第一线程信息、第二线程信息及第三线程信息,所述第一线程信息包括第一线程对应的第一代码的地址、长度及哈希值,所述第二线程信息包括第二线程对应的第二代码的地址、长度及哈希值,所述第三线程信息包括第三线程对应的第三代码的地址、长度及哈希值;Determine the first thread information, the second thread information and the third thread information, the first thread information includes the address, length and hash value of the first code corresponding to the first thread, and the second thread information includes the second thread information The address, length and hash value of the corresponding second code, the third thread information includes the address, length and hash value of the third code corresponding to the third thread; 启动所述第一线程、所述第二线程及所述第三线程;starting the first thread, the second thread and the third thread; 根据所述关键信息、所述第一线程信息、所述第二线程信息及所述第三线程信息,所述第一线程对所述第二线程、所述第二线程对所述第三线程和所述驱动程序、及所述第三线程对所述第一线程和所述驱动程序进行守护。According to the key information, the first thread information, the second thread information and the third thread information, the first thread to the second thread, the second thread to the third thread and the driver program, and the third thread guard the first thread and the driver program. 2.根据权利要求1所述的方法,其特征在于,所述根据所述关键信息、所述第一线程信息、所述第二线程信息及所述第三线程信息,所述第一线程对所述第二线程、所述第二线程对所述第三线程和所述驱动程序、及所述第三线程对所述第一线程和所述驱动程序进行守护,包括:2. The method according to claim 1, wherein, according to the key information, the first thread information, the second thread information and the third thread information, the first thread pair The second thread, the second thread guards the third thread and the driver, and the third thread guards the first thread and the driver, including: 所述第一线程根据所述第二线程信息,对所述第二线程进行守护;The first thread guards the second thread according to the second thread information; 所述第二线程根据所述关键信息及所述第三线程信息,对所述驱动程序的回调函数表、派遣函数表及所述第三线程进行守护;The second thread guards the driver's callback function table, dispatch function table and the third thread according to the key information and the third thread information; 所述第三线程根据所述关键信息及所述第一线程信息,对所述驱动程序的回调函数及所述第一线程进行守护。The third thread guards the callback function of the driver and the first thread according to the key information and the first thread information. 3.根据权利要求2所述的方法,其特征在于,所述第一线程根据所述第二线程信息,对所述第二线程进行守护,包括:3. The method according to claim 2, wherein the first thread guards the second thread according to the second thread information, comprising: 所述第一线程根据所述第二线程信息中的地址及长度,计算所述第二代码的哈希值;The first thread calculates the hash value of the second code according to the address and length in the second thread information; 在所述第二代码的哈希值与所述第二线程信息中的哈希值相同的情况下,所述第一线程检查所述第二线程是否退出;When the hash value of the second code is the same as the hash value in the second thread information, the first thread checks whether the second thread exits; 在所述第二线程未退出的情况下,所述第一线程休眠预设时长后,重新从下述步骤开始执行:所述第一线程根据所述第二线程信息中的地址及长度,计算所述第二代码的哈希值。In the case that the second thread does not exit, after the first thread sleeps for a preset period of time, it starts to execute again from the following steps: the first thread calculates according to the address and length in the second thread information a hash value of the second code. 4.根据权利要求3所述的方法,其特征在于,所述第一线程根据所述第二线程信息,对所述第二线程进行守护,还包括:4. The method according to claim 3, wherein the first thread guards the second thread according to the second thread information, further comprising: 在所述第二代码的哈希值与所述第二线程信息中的哈希值不同的情况下,所述第一线程根据驱动映像、第二线程信息中的地址及长度,对所述第二代码进行修复,所述驱动映像为硬盘上的原始的驱动程序在内存中的备份。In the case that the hash value of the second code is different from the hash value in the second thread information, the first thread assigns the second code to the second code according to the driver image, the address and the length in the second thread information The second code is repaired, and the driver image is a backup of the original driver program on the hard disk in memory. 5.根据权利要求3所述的方法,其特征在于,所述第一线程根据所述第二线程信息,对所述第二线程进行守护,还包括:5. The method according to claim 3, wherein the first thread guards the second thread according to the second thread information, further comprising: 在所述第二线程退出的情况下,所述第一线程重新启动所述第二线程。In case the second thread exits, the first thread restarts the second thread. 6.根据权利要求2所述的方法,其特征在于,所述第二线程根据所述关键信息及所述第三线程信息,对所述驱动程序的回调函数表、派遣函数表及所述第三线程进行守护,包括:6. The method according to claim 2, characterized in that, the second thread, according to the key information and the third thread information, performs a callback function table, a dispatch function table, and the first thread of the driver program. Three threads are guarded, including: 所述第二线程根据所述关键信息中的回调函数表信息及派遣函数表信息,对所述驱动程序的回调函数表及派遣函数表进行守护;The second thread guards the callback function table and dispatch function table of the driver according to the callback function table information and dispatch function table information in the key information; 所述第二线程根据所述第三线程信息,对所述第三线程进行守护。The second thread guards the third thread according to the third thread information. 7.根据权利要求6所述的方法,其特征在于,所述回调函数表信息包括所述驱动程序的回调函数表的地址、长度及哈希值,所述派遣函数表信息包括所述驱动程序的派遣函数表的地址、长度及哈希值;7. The method according to claim 6, wherein the callback function table information includes the address, length and hash value of the driver's callback function table, and the dispatch function table information includes the driver The address, length and hash value of the dispatch function table; 所述第二线程根据所述关键信息中的回调函数表信息及派遣函数表信息,对所述驱动程序的回调函数表及派遣函数表进行守护,包括:The second thread guards the callback function table and dispatch function table of the driver according to the callback function table information and dispatch function table information in the key information, including: 所述第二线程根据所述回调函数表信息中的地址及长度,计算所述驱动程序的回调函数表的哈希值;The second thread calculates the hash value of the callback function table of the driver according to the address and length in the callback function table information; 在所述驱动程序的回调函数表的哈希值与所述回调函数表信息中的哈希值不同的情况下,所述第二线程根据驱动映像、所述回调函数表信息中的地址及长度,对所述驱动程序的回调函数表进行修复;When the hash value of the callback function table of the driver is different from the hash value in the callback function table information, the second thread according to the driver image, the address and the length in the callback function table information , repairing the callback function table of the driver; 所述第二线程根据所述派遣函数表信息中的地址及长度,计算所述驱动程序的派遣函数表的哈希值;The second thread calculates the hash value of the driver's dispatch function table according to the address and length in the dispatch function table information; 在所述驱动程序的派遣函数表的哈希值与所述派遣函数表信息中的哈希值不同的情况下,所述第二线程根据驱动映像、所述派遣函数表信息中的地址及长度,对所述驱动程序的派遣函数表进行修复。When the hash value of the dispatch function table of the driver is different from the hash value in the dispatch function table information, the second thread according to the driver image, the address and the length in the dispatch function table information , and repair the dispatch function table of the driver. 8.根据权利要求2所述的方法,其特征在于,所述第三线程根据所述关键信息及所述第一线程信息,对所述驱动程序的回调函数及所述第一线程进行守护,包括:8. The method according to claim 2, wherein the third thread guards the callback function of the driver program and the first thread according to the key information and the first thread information, include: 所述第三线程根据所述关键信息中的回调函数信息,对所述驱动程序的回调函数进行守护;The third thread guards the callback function of the driver according to the callback function information in the key information; 所述第三线程根据所述第一线程信息,对所述第一线程进行守护。The third thread guards the first thread according to the first thread information. 9.根据权利要求8所述的方法,其特征在于,所述回调函数信息包括所述驱动程序的所有回调函数的地址、长度及哈希值;9. The method according to claim 8, wherein the callback function information includes addresses, lengths and hash values of all callback functions of the driver; 所述第三线程根据所述关键信息中的回调函数信息,对所述驱动程序的回调函数进行守护,包括:The third thread guards the callback function of the driver according to the callback function information in the key information, including: 对于驱动程序的任一回调函数,所述第三线程根据所述回调函数信息中所述回调函数的地址及长度,计算所述回调函数的哈希值;For any callback function of the driver, the third thread calculates the hash value of the callback function according to the address and length of the callback function in the callback function information; 在所述回调函数的哈希值与参考哈希值不同的情况下,所述第二线程根据驱动映像、所述回调函数表信息中所述回调函数的地址及长度,对所述回调函数的代码进行修复,所述参考哈希值为所述回调函数信息中所述回调函数的哈希值。In the case where the hash value of the callback function is different from the reference hash value, the second thread calculates the callback function according to the driver image, the address and the length of the callback function in the callback function table information The code is repaired, and the reference hash value is the hash value of the callback function in the callback function information. 10.根据权利要求1所述的方法,其特征在于,所述方法还包括:10. The method of claim 1, further comprising: 所述驱动程序的中断服务对所述第一线程进行守护。The interrupt service of the driver program daemonizes the first thread. 11.根据权利要求10所述的方法,其特征在于,所述驱动程序的中断服务对所述第一线程进行守护,包括:11. The method according to claim 10, wherein the interrupt service of the driver protects the first thread, comprising: 在所述驱动程序的中断服务执行中断处理之前,所述中断服务根据所述第一线程信息中的地址及长度,计算所述第一代码的哈希值;Before the interrupt service of the driver program executes the interrupt processing, the interrupt service calculates the hash value of the first code according to the address and length in the first thread information; 在所述第一代码的哈希值与所述第一线程信息中的哈希值相同的情况下,所述中断服务检查所述第一线程是否退出;When the hash value of the first code is the same as the hash value in the first thread information, the interrupt service checks whether the first thread exits; 在所述第一线程未退出的情况下,所述中断服务执行所述中断处理。If the first thread does not exit, the interrupt service executes the interrupt processing. 12.根据权利要求10所述的方法,其特征在于,所述方法还包括:12. The method according to claim 10, further comprising: 所述硬件设备的固件对所述中断服务进行守护。The firmware of the hardware device guards the interrupt service. 13.根据权利要求12所述的方法,其特征在于,所述关键信息还包括所述中断服务对应的中断处理函数信息,所述中断处理函数信息包括所述中断服务对应的中断处理函数的地址、长度及哈希值;13. The method according to claim 12, wherein the key information further includes interrupt handler information corresponding to the interrupt service, and the interrupt handler information includes an address of the interrupt handler corresponding to the interrupt service , length and hash value; 所述硬件设备的固件对所述中断服务进行守护,包括:The firmware of the hardware device guards the interrupt service, including: 所述固件根据所述中断处理函数信息中的地址及长度,计算所述中断处理函数的哈希值;The firmware calculates the hash value of the interrupt processing function according to the address and length in the interrupt processing function information; 在所述中断处理函数的哈希值与所述中断处理函数信息中的哈希值相同的情况下,所述固件休眠预设时长后,重新从下述步骤开始执行:所述固件根据所述中断处理函数信息中的地址及长度,计算所述中断处理函数的哈希值。In the case where the hash value of the interrupt processing function is the same as the hash value in the interrupt processing function information, after the firmware sleeps for a preset period of time, it starts to execute again from the following steps: the firmware according to the The address and length in the interrupt handling function information are used to calculate the hash value of the interrupt handling function. 14.根据权利要求13所述的方法,其特征在于,所述硬件设备的固件对所述中断服务进行守护,包括:14. The method according to claim 13, wherein the firmware of the hardware device guards the interrupt service, comprising: 在所述中断处理函数的哈希值与所述中断处理函数信息中的哈希值不同的情况下,所述固件控制所述硬件设备停止发送中断请求,以停止所述中断服务;When the hash value of the interrupt handling function is different from the hash value in the interrupt handling function information, the firmware controls the hardware device to stop sending interrupt requests, so as to stop the interrupt service; 所述固件根据驱动映像、所述中断处理函数信息中的地址及长度,对所述中断处理函数进行修复;The firmware repairs the interrupt processing function according to the drive image, the address and the length in the interrupt processing function information; 在修复完成后,所述固件控制所述硬件设备恢复中断请求的发送,以恢复所述中断服务。After the repair is completed, the firmware controls the hardware device to resume sending the interrupt request, so as to restore the interrupt service. 15.根据权利要求1所述的方法,其特征在于,确定所述驱动程序的关键信息,包括:15. The method according to claim 1, wherein determining the key information of the driver comprises: 在所述驱动程序载入内存后,检查所述驱动程序在加载过程中是否被修改;After the driver is loaded into the memory, check whether the driver is modified during the loading process; 在所述驱动程序在加载过程中未被修改的情况下,确定所述驱动程序的关键信息。In the case that the driver is not modified during the loading process, key information of the driver is determined. 16.根据权利要求15所述的方法,其特征在于,所述检查所述驱动程序在加载过程中是否被修改,包括:16. The method according to claim 15, wherein the checking whether the driver is modified during loading comprises: 在所述驱动程序载入内存后,对所述驱动程序进行校验,所述校验包括哈希校验、证书签名校验中的至少一种;After the driver program is loaded into the memory, the driver program is verified, and the verification includes at least one of hash verification and certificate signature verification; 在校验通过的情况下,对所述驱动程序进行对齐及重定位处理;If the verification is passed, the driver is aligned and relocated; 根据驱动映像,判断所述驱动程序在加载过程中是否被修改。According to the driver image, it is judged whether the driver is modified during the loading process. 17.根据权利要求16所述的方法,其特征在于,所述根据驱动映像,判断所述驱动程序在加载过程中是否被修改,包括:17. The method according to claim 16, wherein the determining whether the driver is modified during the loading process according to the driver image comprises: 分别计算所述驱动映像的哈希值及所述驱动程序的哈希值;respectively calculating the hash value of the driver image and the hash value of the driver; 在所述驱动映像的哈希值与所述驱动程序的哈希值相同的情况下,确定所述驱动程序在加载过程中未被修改。If the hash value of the driver image is the same as the hash value of the driver, it is determined that the driver has not been modified during the loading process. 18.根据权利要求15所述的方法,其特征在于,确定所述驱动程序的关键信息,包括:18. The method according to claim 15, wherein determining the key information of the driver comprises: 在驱动程序在加载过程中被修改的情况下,根据驱动映像,对所述驱动程序进行修复;In the case that the driver is modified during the loading process, repairing the driver according to the driver image; 在所述驱动程序修复完成后,确定所述驱动程序的关键信息。After the driver is repaired, key information of the driver is determined. 19.根据权利要求1所述的方法,其特征在于,所述方法还包括:19. The method of claim 1, further comprising: 确定出所述回调函数信息后,通过自定义的回调注册函数,对所述驱动程序的回调函数进行注册。After the callback function information is determined, the callback function of the driver is registered through a self-defined callback registration function. 20.根据权利要求1-19中任意一项所述的方法,其特征在于,所述方法还包括:20. The method according to any one of claims 1-19, further comprising: 将所述关键信息、所述第一线程信息、所述第二线程信息及所述第三线程信息,存储至预设的存储区域,所述存储区域为仅允许写入一次的存储区域。The key information, the first thread information, the second thread information, and the third thread information are stored in a preset storage area, and the storage area is only allowed to be written once. 21.一种驱动程序防护装置,其特征在于,所述装置包括:21. A driver protection device, characterized in that the device comprises: 第一信息确定模块,用于在硬件设备的驱动程序载入内存后,确定所述驱动程序的关键信息,所述关键信息包括所述驱动程序的回调函数表信息、回调函数信息及派遣函数表信息中的至少一种;The first information determination module is used to determine the key information of the driver after the driver of the hardware device is loaded into the memory, and the key information includes the callback function table information, callback function information and dispatch function table of the driver. at least one of the information; 第二信息确定模块,用于确定第一线程信息、第二线程信息及第三线程信息,所述第一线程信息包括第一线程对应的第一代码的地址、长度及哈希值,所述第二线程信息包括第二线程对应的第二代码的地址、长度及哈希值,所述第三线程信息包括第三线程对应的第三代码的地址、长度及哈希值;The second information determination module is used to determine the first thread information, the second thread information and the third thread information, the first thread information includes the address, length and hash value of the first code corresponding to the first thread, the said The second thread information includes the address, length and hash value of the second code corresponding to the second thread, and the third thread information includes the address, length and hash value of the third code corresponding to the third thread; 线程启动模块,用于启动所述第一线程、所述第二线程及所述第三线程;a thread starting module, configured to start the first thread, the second thread and the third thread; 第一守护模块,根据所述关键信息、所述第一线程信息、所述第二线程信息及所述第三线程信息,所述第一线程对所述第二线程、所述第二线程对所述第三线程和所述驱动程序、及所述第三线程对所述第一线程和所述驱动程序进行守护。The first guard module, according to the key information, the first thread information, the second thread information, and the third thread information, the first thread to the second thread, the second thread to the second thread The third thread and the driver, and the third thread guards the first thread and the driver. 22.根据权利要求21所述的装置,其特征在于,所述第一守护模块,包括:22. The device according to claim 21, wherein the first guard module comprises: 第一守护子模块,所述第一线程根据所述第二线程信息,对所述第二线程进行守护;A first guard submodule, the first thread guards the second thread according to the second thread information; 第二守护子模块,所述第二线程根据所述关键信息及所述第三线程信息,对所述驱动程序的回调函数表、派遣函数表及所述第三线程进行守护;The second guard submodule, the second thread guards the callback function table, dispatch function table and the third thread of the driver according to the key information and the third thread information; 第三守护子模块,所述第三线程根据所述关键信息及所述第一线程信息,对所述驱动程序的回调函数及所述第一线程进行守护。The third guarding sub-module, the third thread guards the callback function of the driver and the first thread according to the key information and the first thread information. 23.根据权利要求22所述的装置,其特征在于,所述第一守护子模块,用于:23. The device according to claim 22, wherein the first guardian submodule is configured to: 所述第一线程根据所述第二线程信息中的地址及长度,计算所述第二代码的哈希值;The first thread calculates the hash value of the second code according to the address and length in the second thread information; 在所述第二代码的哈希值与所述第二线程信息中的哈希值相同的情况下,所述第一线程检查所述第二线程是否退出;When the hash value of the second code is the same as the hash value in the second thread information, the first thread checks whether the second thread exits; 在所述第二线程未退出的情况下,所述第一线程休眠预设时长后,重新从下述步骤开始执行:所述第一线程根据所述第二线程信息中的地址及长度,计算所述第二代码的哈希值。In the case that the second thread does not exit, after the first thread sleeps for a preset period of time, it starts to execute again from the following steps: the first thread calculates according to the address and length in the second thread information a hash value of the second code. 24.根据权利要求23所述的装置,其特征在于,所述第一守护子模块,还用于:24. The device according to claim 23, wherein the first guardian submodule is also used for: 在所述第二代码的哈希值与所述第二线程信息中的哈希值不同的情况下,所述第一线程根据驱动映像、第二线程信息中的地址及长度,对所述第二代码进行修复,所述驱动映像为硬盘上的原始的驱动程序在内存中的备份。In the case that the hash value of the second code is different from the hash value in the second thread information, the first thread assigns the second code to the second code according to the driver image, the address and the length in the second thread information The second code is repaired, and the driver image is a backup of the original driver program on the hard disk in memory. 25.根据权利要求23所述的装置,其特征在于,所述第一守护子模块,还用于:25. The device according to claim 23, wherein the first guardian submodule is further used for: 在所述第二线程退出的情况下,所述第一线程重新启动所述第二线程。In case the second thread exits, the first thread restarts the second thread. 26.根据权利要求22所述的装置,其特征在于,所述第二守护子模块,用于:26. The device according to claim 22, wherein the second guardian submodule is configured to: 所述第二线程根据所述关键信息中的回调函数表信息及派遣函数表信息,对所述驱动程序的回调函数表及派遣函数表进行守护;The second thread guards the callback function table and dispatch function table of the driver according to the callback function table information and dispatch function table information in the key information; 所述第二线程根据所述第三线程信息,对所述第三线程进行守护。The second thread guards the third thread according to the third thread information. 27.根据权利要求26所述的装置,其特征在于,所述回调函数表信息包括所述驱动程序的回调函数表的地址、长度及哈希值,所述派遣函数表信息包括所述驱动程序的派遣函数表的地址、长度及哈希值;27. The device according to claim 26, wherein the callback function table information includes the address, length and hash value of the driver's callback function table, and the dispatch function table information includes the driver The address, length and hash value of the dispatch function table; 所述第二线程根据所述关键信息中的回调函数表信息及派遣函数表信息,对所述驱动程序的回调函数表及派遣函数表进行守护,包括:The second thread guards the callback function table and dispatch function table of the driver according to the callback function table information and dispatch function table information in the key information, including: 所述第二线程根据所述回调函数表信息中的地址及长度,计算所述驱动程序的回调函数表的哈希值;The second thread calculates the hash value of the callback function table of the driver according to the address and length in the callback function table information; 在所述驱动程序的回调函数表的哈希值与所述回调函数表信息中的哈希值不同的情况下,所述第二线程根据驱动映像、所述回调函数表信息中的地址及长度,对所述驱动程序的回调函数表进行修复;When the hash value of the callback function table of the driver is different from the hash value in the callback function table information, the second thread according to the driver image, the address and the length in the callback function table information , repairing the callback function table of the driver; 所述第二线程根据所述派遣函数表信息中的地址及长度,计算所述驱动程序的派遣函数表的哈希值;The second thread calculates the hash value of the driver's dispatch function table according to the address and length in the dispatch function table information; 在所述驱动程序的派遣函数表的哈希值与所述派遣函数表信息中的哈希值不同的情况下,所述第二线程根据驱动映像、所述派遣函数表信息中的地址及长度,对所述驱动程序的派遣函数表进行修复。When the hash value of the dispatch function table of the driver is different from the hash value in the dispatch function table information, the second thread according to the driver image, the address and the length in the dispatch function table information , and repair the dispatch function table of the driver. 28.根据权利要求22所述的装置,其特征在于,所述第三守护子模块,用于:28. The device according to claim 22, wherein the third guardian submodule is configured to: 所述第三线程根据所述关键信息中的回调函数信息,对所述驱动程序的回调函数进行守护;The third thread guards the callback function of the driver according to the callback function information in the key information; 所述第三线程根据所述第一线程信息,对所述第一线程进行守护。The third thread guards the first thread according to the first thread information. 29.根据权利要求28所述的装置,其特征在于,所述回调函数信息包括所述驱动程序的所有回调函数的地址、长度及哈希值;29. The device according to claim 28, wherein the callback function information includes addresses, lengths and hash values of all callback functions of the driver; 所述第三线程根据所述关键信息中的回调函数信息,对所述驱动程序的回调函数进行守护,包括:The third thread guards the callback function of the driver according to the callback function information in the key information, including: 对于驱动程序的任一回调函数,所述第三线程根据所述回调函数信息中所述回调函数的地址及长度,计算所述回调函数的哈希值;For any callback function of the driver, the third thread calculates the hash value of the callback function according to the address and length of the callback function in the callback function information; 在所述回调函数的哈希值与参考哈希值不同的情况下,所述第二线程根据驱动映像、所述回调函数表信息中所述回调函数的地址及长度,对所述回调函数的代码进行修复,所述参考哈希值为所述回调函数信息中所述回调函数的哈希值。In the case where the hash value of the callback function is different from the reference hash value, the second thread calculates the callback function according to the driver image, the address and the length of the callback function in the callback function table information The code is repaired, and the reference hash value is the hash value of the callback function in the callback function information. 30.根据权利要求21所述的装置,其特征在于,所述装置还包括:30. The device of claim 21, further comprising: 第二守护模块,所述驱动程序的中断服务对所述第一线程进行守护。The second guard module, the interrupt service of the driver guards the first thread. 31.根据权利要求30所述的装置,其特征在于,所述第二守护模块,包括:31. The device according to claim 30, wherein the second guard module comprises: 第一计算子模块,在所述驱动程序的中断服务执行中断处理之前,所述中断服务根据所述第一线程信息中的地址及长度,计算所述第一代码的哈希值;The first calculation submodule, before the interrupt service of the driver program executes interrupt processing, the interrupt service calculates the hash value of the first code according to the address and length in the first thread information; 第一检查子模块,在所述第一代码的哈希值与所述第一线程信息中的哈希值相同的情况下,所述中断服务检查所述第一线程是否退出;A first checking submodule, when the hash value of the first code is the same as the hash value in the first thread information, the interrupt service checks whether the first thread exits; 执行子模块,在所述第一线程未退出的情况下,所述中断服务执行所述中断处理。Executing a sub-module, if the first thread has not exited, the interrupt service executes the interrupt processing. 32.根据权利要求30所述的装置,其特征在于,所述装置还包括:32. The device of claim 30, further comprising: 第三守护模块,所述硬件设备的固件对所述中断服务进行守护。The third guard module, the firmware of the hardware device guards the interrupt service. 33.根据权利要求32所述的装置,其特征在于,所述关键信息还包括所述中断服务对应的中断处理函数信息,所述中断处理函数信息包括所述中断服务对应的中断处理函数的地址、长度及哈希值;33. The device according to claim 32, wherein the key information further includes interrupt handler information corresponding to the interrupt service, and the interrupt handler information includes an address of the interrupt handler corresponding to the interrupt service , length and hash value; 所述第三守护模块,包括:The third guardian module includes: 第二计算子模块,所述固件根据所述中断处理函数信息中的地址及长度,计算所述中断处理函数的哈希值;The second computing submodule, the firmware calculates the hash value of the interrupt processing function according to the address and length in the interrupt processing function information; 休眠子模块,在所述中断处理函数的哈希值与所述中断处理函数信息中的哈希值相同的情况下,所述固件休眠预设时长后,重新从下述步骤开始执行:所述固件根据所述中断处理函数信息中的地址及长度,计算所述中断处理函数的哈希值。The dormancy sub-module, when the hash value of the interrupt processing function is the same as the hash value in the interrupt processing function information, after the firmware sleeps for a preset period of time, it starts to execute from the following steps again: the The firmware calculates the hash value of the interrupt processing function according to the address and length in the interrupt processing function information. 34.根据权利要求33所述的装置,其特征在于,所述第三守护模块,包括:34. The device according to claim 33, wherein the third guard module comprises: 中断服务停止子模块,在所述中断处理函数的哈希值与所述中断处理函数信息中的哈希值不同的情况下,所述固件控制所述硬件设备停止发送中断请求,以停止所述中断服务;The interrupt service stop submodule, when the hash value of the interrupt processing function is different from the hash value in the interrupt processing function information, the firmware controls the hardware device to stop sending interrupt requests, so as to stop the interruption of service; 修复子模块,所述固件根据驱动映像、所述中断处理函数信息中的地址及长度,对所述中断处理函数进行修复;repair submodule, the firmware repairs the interrupt processing function according to the drive image, the address and the length in the interrupt processing function information; 中断服务恢复子模块,在修复完成后,所述固件控制所述硬件设备恢复中断请求的发送,以恢复所述中断服务。The interrupt service recovery submodule, after the repair is completed, the firmware controls the hardware device to resume sending the interrupt request, so as to resume the interrupt service. 35.根据权利要求21所述的装置,其特征在于,所述第一信息确定模块,包括:35. The device according to claim 21, wherein the first information determining module comprises: 第二检查子模块,在所述驱动程序载入内存后,检查所述驱动程序在加载过程中是否被修改;The second check submodule, after the driver is loaded into the memory, checks whether the driver is modified during the loading process; 信息确定子模块,在所述驱动程序在加载过程中未被修改的情况下,确定所述驱动程序的关键信息。The information determination submodule determines the key information of the driver under the condition that the driver is not modified during the loading process. 36.根据权利要求35所述的装置,其特征在于,所述第二检查子模块,用于:36. The device according to claim 35, wherein the second checking submodule is configured to: 在所述驱动程序载入内存后,对所述驱动程序进行校验,所述校验包括哈希校验、证书签名校验中的至少一种;After the driver program is loaded into the memory, the driver program is verified, and the verification includes at least one of hash verification and certificate signature verification; 在校验通过的情况下,对所述驱动程序进行对齐及重定位处理;If the verification is passed, the driver is aligned and relocated; 根据驱动映像,判断所述驱动程序在加载过程中是否被修改。According to the driver image, it is judged whether the driver is modified during the loading process. 37.根据权利要求36所述的装置,其特征在于,所述根据驱动映像,判断所述驱动程序在加载过程中是否被修改,包括:37. The device according to claim 36, wherein the judging whether the driver is modified during the loading process according to the driver image comprises: 分别计算所述驱动映像的哈希值及所述驱动程序的哈希值;respectively calculating the hash value of the driver image and the hash value of the driver; 在所述驱动映像的哈希值与所述驱动程序的哈希值相同的情况下,确定所述驱动程序在加载过程中未被修改。If the hash value of the driver image is the same as the hash value of the driver, it is determined that the driver has not been modified during the loading process. 38.根据权利要求35所述的装置,其特征在于,所述信息确定子模块,用于:38. The device according to claim 35, wherein the information determining submodule is configured to: 在驱动程序在加载过程中被修改的情况下,根据驱动映像,对所述驱动程序进行修复;In the case that the driver is modified during the loading process, repairing the driver according to the driver image; 在所述驱动程序修复完成后,确定所述驱动程序的关键信息。After the driver is repaired, key information of the driver is determined. 39.根据权利要求21所述的装置,其特征在于,所述装置还包括:39. The device of claim 21, further comprising: 注册模块,用于确定出所述回调函数信息后,通过自定义的回调注册函数,对所述驱动程序的回调函数进行注册。The registration module is configured to register the callback function of the driver through a self-defined callback registration function after determining the callback function information. 40.根据权利要求21-39中任意一项所述的装置,其特征在于,所述装置还包括:40. The device according to any one of claims 21-39, further comprising: 存储模块,用于将所述关键信息、所述第一线程信息、所述第二线程信息及所述第三线程信息,存储至预设的存储区域,所述存储区域为仅允许写入一次的存储区域。A storage module, configured to store the key information, the first thread information, the second thread information, and the third thread information in a preset storage area, and the storage area is only allowed to be written once storage area.
CN202211478795.8A 2022-11-24 2022-11-24 Driver protection method and device Active CN115577347B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211478795.8A CN115577347B (en) 2022-11-24 2022-11-24 Driver protection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211478795.8A CN115577347B (en) 2022-11-24 2022-11-24 Driver protection method and device

Publications (2)

Publication Number Publication Date
CN115577347A CN115577347A (en) 2023-01-06
CN115577347B true CN115577347B (en) 2023-03-24

Family

ID=84590502

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211478795.8A Active CN115577347B (en) 2022-11-24 2022-11-24 Driver protection method and device

Country Status (1)

Country Link
CN (1) CN115577347B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6314471B1 (en) * 1998-11-13 2001-11-06 Cray Inc. Techniques for an interrupt free operating system
CN105068916A (en) * 2015-08-28 2015-11-18 福建六壬网安股份有限公司 Kernel hook based process behavior monitoring method
CN112434286A (en) * 2020-11-12 2021-03-02 浙江大华技术股份有限公司 Dynamic library calling method and device, electronic device and storage medium
CN114138369A (en) * 2021-12-02 2022-03-04 北京江民新科技术有限公司 Process protection method and system for the whole system of Windows

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6314471B1 (en) * 1998-11-13 2001-11-06 Cray Inc. Techniques for an interrupt free operating system
CN105068916A (en) * 2015-08-28 2015-11-18 福建六壬网安股份有限公司 Kernel hook based process behavior monitoring method
CN112434286A (en) * 2020-11-12 2021-03-02 浙江大华技术股份有限公司 Dynamic library calling method and device, electronic device and storage medium
CN114138369A (en) * 2021-12-02 2022-03-04 北京江民新科技术有限公司 Process protection method and system for the whole system of Windows

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
"A Fine-Grained Task Monitoring Mechanism in Spark Platform";Cheng Chen 等;《Advances in Engineering Research》;全文 *
"基于系统虚拟化的软件安全保护关键技术研究";邹冰玉;《中国博士学位论文全文数据库 信息科技辑》;全文 *
"多线程保护应用程序自动加载研究与实践";龚尚福 等;《西安科技大学学报》;第33卷(第2期);全文 *
"面向领域的软件构件库系统初步研究";李孝明;《计算机与数字工程》;第32卷(第1期);全文 *

Also Published As

Publication number Publication date
CN115577347A (en) 2023-01-06

Similar Documents

Publication Publication Date Title
US20200302057A1 (en) Verifying controller code
US9880908B2 (en) Recovering from compromised system boot code
JP5767751B2 (en) Method, computing platform, and program for verifying BIOS
JP4708414B2 (en) Autonomous memory checker for runtime security assurance
EP2989579B1 (en) Redundant system boot code in a secondary non-volatile memory
US7793347B2 (en) Method and system for validating a computer system
US8028174B2 (en) Controlling update of content of a programmable read-only memory
TWI672634B (en) Bios security
CN101504704B (en) Star trust chain supporting embedded platform application program integrality verification method
WO2014000613A1 (en) System repair method and device, and storage medium
US10482256B2 (en) Information processing apparatus and method of controlling the apparatus
WO2006058472A1 (en) Method for establishing a trusted running environment in the computer
US20210192014A1 (en) Software verification device and software verification method
TW201212037A (en) Methods and apparatus to protect segments of memory
EP4116851A1 (en) Trusted measurement method and related apparatus
US9448888B2 (en) Preventing a rollback attack in a computing system that includes a primary memory bank and a backup memory bank
JP4947239B2 (en) Information processing apparatus having configuration change verification function and control method thereof
TWI676889B (en) Boot data validity
US20220374511A1 (en) Systems and methods for assuring integrity of operating system and software components at runtime
CN115577347B (en) Driver protection method and device
US9612915B2 (en) Flash memory-hosted local and remote out-of-service platform manageability
CN104573417A (en) UEFI (Unified Extensible Firmware Interface)-based software whole-process protection system and UEFI-based software whole-process protection method
US20200244461A1 (en) Data Processing Method and Apparatus
CN116880265A (en) Safety monitoring device and method for auxiliary driving system, computer equipment and medium
EP3940565A1 (en) System management states

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: B655, 4th Floor, Building 14, Cuiwei Zhongli, Haidian District, Beijing, 100036

Patentee after: Mole Thread Intelligent Technology (Beijing) Co.,Ltd.

Country or region after: China

Address before: 209, 2nd Floor, No. 31 Haidian Street, Haidian District, Beijing

Patentee before: Moore Threads Technology Co., Ltd.

Country or region before: China